CVE-2024-27905 Apache Aurora: padding oracle can allow construction an authentication cookie

2024-02-2714:29:22

CWE-200

apache

www.cve.org

apache aurora

sensitive information

unauthorized actor

padding oracle

authentication cookie

remote code execution

AI Score

7.7

Confidence

Low

EPSS

Percentile

9.0%

JSON

UNSUPPORTED WHEN ASSIGNED Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.

An endpoint exposing internals to unauthenticated users can be used as a “padding oracle” allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Aurora",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "*",
        "status": "affected",
        "version": "0.5.0",
        "versionType": "semver"
      }
    ]
  }
]