Lucene search

[email protected]CVE-2024-28120

HistoryMar 11, 2024 - 10:15 p.m.

CVE-2024-28120

2024-03-1122:15:55

CWE-284

CWE-200

[email protected]

web.nvd.nist.gov

codeium-chrome

extension

api key

security vulnerability

web browser

service worker

cve-2024-28120

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn’t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user’s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.

Affected configurations

Vulners

Node

exafunctioncodeium_chromeRange≤1.2.52

CNA Affected

[
  {
    "vendor": "Exafunction",
    "product": "codeium-chrome",
    "versions": [
      {
        "version": "<= 1.2.52",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p

securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVE-2024-28120

prion1 cvelist1 nvd1