CVE-2024-56902
Published: 03 February 2025
Summary
CVE-2024-56902 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
CVE-2024-56902 is an information disclosure vulnerability affecting the Geovision GV-ASManager web application in versions 6.1.0.0 and earlier. The flaw, assigned CWE-200, allows exposure of account information including cleartext passwords and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated remote attackers can exploit the issue over the network to retrieve sensitive credentials stored or transmitted by the application, potentially enabling further unauthorized access to the access-control management system.
The single reference points to a public GitHub repository documenting the CVE, but no official vendor advisories, patches, or mitigation guidance are provided in the available details. The associated EPSS score has remained flat at 0.3347 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53446
Vulnerability details
Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information, including cleartext password.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing web app (T1190) exposes cleartext credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates protection of authenticators like passwords from unauthorized disclosure and requires they not be stored or transmitted in cleartext, directly preventing exposure of cleartext credentials in the web application.
AC-14 explicitly limits and authorizes actions performable without identification or authentication, preventing unauthenticated remote access to endpoints disclosing account information.
AU-13 requires monitoring the system for unauthorized disclosures of sensitive information, enabling detection of exploitation attempts retrieving cleartext passwords.