Lucene search

GitHub_MCVELIST:CVE-2024-28120

HistoryMar 11, 2024 - 9:14 p.m.

CVE-2024-28120 API key leak in codeium-chrome

2024-03-1121:14:22

CWE-284

CWE-200

GitHub_M

www.cve.org

cve-2024-28120

codeium-chrome

service worker

external message

attacker

website

user's codeium api-key

impersonate

backend autocomplete server

issue

api key monitoring

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn’t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user’s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.

CNA Affected

[
  {
    "vendor": "Exafunction",
    "product": "codeium-chrome",
    "versions": [
      {
        "version": "<= 1.2.52",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p

securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-28120