Lucene search

MitreCVE-2024-39891

HistoryJul 02, 2024 - 6:15 p.m.

CVE-2024-39891

2024-07-0218:15:03

CWE-203

mitre

web.nvd.nist.gov

In Wild

twilio authy api

insecure endpoint

phone-number data

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

0.118

Percentile

95.4%

JSON

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

Affected configurations

Nvd

Node

twilioauthyRange<26.1.0iphone_os

twilioauthy_authenticatorRange<25.1.0android

VendorProductVersionCPE
twilioauthy*cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*
twilioauthy_authenticator*cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
twilio	authy	*	cpe:2.3:a:twilio:authy::::::iphone_os::*
twilio	authy_authenticator	*	cpe:2.3:a:twilio:authy_authenticator::::::android::*

References

cwe.mitre.org/data/definitions/203.html

www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/

www.twilio.com/docs/usage/security/reporting-vulnerabilities

www.twilio.com/en-us/changelog

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

0.118

Percentile

95.4%

JSON

Related for CVE-2024-39891