Miggo Logo
Miggo Vulnerability Database
CVE-2024-24825

CVE-2024-24825:
DIRAC's TokenManager does not check permissions on cached tokens

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-24825
GHSA ID
GHSA-59qj-jcjv-662j
EPSS Score
0.3212%
CWE
CWE-200
Published
2/8/2024
Updated
11/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
DIRACpip>= 8.0.0, < 8.0.378.0.37
diracpip>= 0, < 8.0.378.0.37

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the server-side token caching mechanism. Key evidence includes:

  1. The patch removed the __tokensCache initialization and all cache interaction logic
  2. The @gTokensSync decorator (for cache synchronization) was removed
  3. The getCachedToken check was eliminated from the token retrieval flow
  4. Documentation changes emphasize removal of server-side caching
  5. The vulnerability description explicitly states cached tokens were accessible across users

The export_getToken function was vulnerable because it served cached tokens without re-validating permissions, relying solely on the initial token request's authorization check rather than subsequent cache accesses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*r *oul* **t * tok*n t**t **s ***n r*qu*st** *y *not**r us*r/***nt ### P*t***s T** vuln*r**ility is *ix** in v*rsion *.*.**. ### Work*roun*s Non* ### R***r*n**s

Reasoning

T** vuln*r**ility st*mm** *rom t** s*rv*r-si** tok*n ****in* m****nism. K*y *vi**n** in*lu**s: *. T** p*t** r*mov** t** __tok*ns***** initi*liz*tion *n* *ll ***** int*r**tion lo*i* *. T** @*Tok*nsSyn* ***or*tor (*or ***** syn**roniz*tion) w*s r*mov**