5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-47529

GHSA ID

GHSA-4xqv-47rm-37mm

EPSS Score

0.10461%

CWE

CWE-312

Published

10/2/2024

Updated

11/13/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47529

CVE-2024-47529:
OpenC3 stores passwords in clear text (`GHSL-2024-129`)

Summary

OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128).

Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition

Impact

This issue may lead to Information Disclosure.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-47529

GHSA ID

GHSA-4xqv-47rm-37mm

EPSS Score

0.10461%

CWE

CWE-312

Published

10/2/2024

Updated

11/13/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openc3	rubygems	< 5.19.0	5.19.0
@openc3/tool-common	npm	< 5.19.0	5.19.0
openc3	pip	>= 0, < 5.19.0	5.19.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The primary vulnerability stems from the Login.vue component's login function storing raw passwords in localStorage. The pre-patch code showed direct assignment of 'this.password' to localStorage.openc3Token. The AuthModel.verify function's handling of service password comparison in cleartext and lack of proper password hashing (SHA2 without salt) created secondary exposure risks. The commit diff shows these were replaced with session token handling and proper credential management.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Op*n** *OSMOS stor*s t** p*sswor* o* * us*r un*n*rypt** in t** Lo**lStor*** o* * w** *rows*r. T*is m*k*s t** us*r p*sswor* sus**pti*l* to *x*iltr*tion vi* *ross-sit* s*riptin* (s** **SL-****-***). Not*: T*is *V* only *****ts Op*n Sour**

Reasoning

T** prim*ry vuln*r**ility st*ms *rom t** Lo*in.vu* *ompon*nt's lo*in *un*tion storin* r*w p*sswor*s in lo**lStor***. T** pr*-p*t** *o** s*ow** *ir**t *ssi*nm*nt o* 't*is.p*sswor*' to lo**lStor***.op*n**Tok*n. T** *ut*Mo**l.v*ri*y *un*tion's **n*lin*

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-47529: OpenC3 stores passwords in clear text (`GHSL-2024-129`)

Summary

Impact

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-47529:
OpenC3 stores passwords in clear text (`GHSL-2024-129`)

Vulnerability Intelligence
Miggo AI