8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-49376

GHSA ID

GHSA-v46j-h43h-rwrm

EPSS Score

0.41312%

CWE

CWE-287

Published

10/25/2024

Updated

11/15/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-49376

CVE-2024-49376: Autolab Misconfigured Reset Password Permissions

Impact

For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords.

Patches

This is fixed in v3.0.1.

Workarounds

No workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/autolab/Autolab/ Email us at autolab-dev@andrew.cmu.edu

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-49376

GHSA ID

GHSA-v46j-h43h-rwrm

EPSS Score

0.41312%

CWE

CWE-287

Published

10/25/2024

Updated

11/15/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Autolab	rubygems	= 3.0.0	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows:

Added 'action_auth_level :update_password_for_user, :administrator' to enforce admin privileges
Modified 'skip_before_action :authenticate_for_action' to exclude this action from authentication bypass

In vulnerable version 3.0.0, the absence of these protections meant any authenticated user could access password reset functionality for other users. The CWE-287 and CWE-863 mappings confirm this is an authentication/authorization flaw in password management functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *or *m*il-**s** ***ounts, us*rs wit* insu**i*i*nt privil***s *oul* r*s*t *n* t**or*ti**lly ****ss privil**** us*rs' ***ounts *y r*s*ttin* t**ir p*sswor*s. ### P*t***s T*is is *ix** in v*.*.*. ### Work*roun*s No work*roun*s. ### *or mor*

Reasoning

T** *ommit *i** s*ows: *. ***** '**tion_*ut*_l*v*l :up**t*_p*sswor*_*or_us*r, :**ministr*tor' to *n*or** **min privil***s *. Mo*i*i** 'skip_***or*_**tion :*ut**nti**t*_*or_**tion' to *x*lu** t*is **tion *rom *ut**nti**tion *yp*ss In vuln*r**l* v*rs

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-49376: Autolab Misconfigured Reset Password Permissions

Impact

Patches

Workarounds

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI