CRITICAL🇵🇱 Wersja polska

CVE-2024-10081

CVSS 10.0v3.1pub. 2024-11-06upd. 2025-11-14

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. This issue affects CodeChecker: through 6.24.1.

🤖 AI Analysis
How it works

The vulnerability (CWE-288, CWE-420) consists in the access control mechanism being bypassed when the request URL ends with the string 'Authentication'. This allows an unauthenticated attacker to circumvent the authorization layer and send requests to all API endpoints except the /Authentication endpoint itself. The error concerns the URL path verification logic, not the network layer, meaning no special network access is required.

Impact

The attacker gains superuser privileges to the entire API, enabling the addition, modification, and deletion of products and the execution of other privileged administrative operations. The vulnerability leads to complete compromise of the confidentiality and integrity of data stored in the system.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references. Details regarding the fixed version are available in the GitHub repository at: https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q. Until the update is applied, it is recommended to restrict network access to the CodeChecker instance only to trusted hosts.

Who is affected

Ericsson CodeChecker in all versions up to and including 6.24.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Ericsson Codechecker

    APP
    Ericsson
    < 6.24.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-25660CRITICAL9.3PL ✓ten sam produkt

Ericsson CodeChecker — Authentication Bypass umożliwiający eskalację uprawnień

CVE-2024-53829HIGH8.2ten sam produkt

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Cla...

CVE-2024-10082HIGH8.7ten sam produkt

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Cla...

CVE-2025-40843MEDIUM5.9ten sam produkt

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Cla...

CVE-2025-1300MEDIUM6.1ten sam produkt

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Cla...