CVE-2024-10081

CRITICAL EXPLOITED NUCLEI

CodeChecker <= 6.24.1 - Authentication Bypass via API URL Ending with Authentication

Title source: llm

Exploitation Summary

CVE-2024-10081 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. This issue affects CodeChecker: through 6.24.1.

Nuclei Templates (1)

CodeChecker <= 6.24.1 - Authentication Bypass

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: http.favicon.hash:-1496590341

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q

Scores

CVSS v3 10.0

EPSS 0.3922

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-12-10

CWE

CWE-288 CWE-420

Status published

Products (2)

ericsson/codechecker < 6.24.2

pypi/codechecker 0 - 6.24.2PyPI

Published Nov 06, 2024

Tracked Since Feb 18, 2026