Lucene search

GitHub_MVULNRICHMENT:CVE-2024-35184

HistoryMay 15, 2024 - 9:29 p.m.

CVE-2024-35184 paperless-ngx's remote user auth via header works even when disabling it for API

2024-05-1521:29:33

CWE-287

GitHub_M

github.com

paperless-ngx

remote user authentication

api access

vulnerability

patch

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue.

CNA Affected

[
  {
    "vendor": "paperless-ngx",
    "product": "paperless-ngx",
    "versions": [
      {
        "version": ">= 2.5.0, < 2.8.6",
        "status": "affected"
      }
    ]
  }
]

References

github.com/paperless-ngx/paperless-ngx/commit/ed05b40ba461641b1b59b0a92f51f3f6a66ce180

github.com/paperless-ngx/paperless-ngx/pull/6739

github.com/paperless-ngx/paperless-ngx/releases/tag/v2.8.6

github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-72w4-hxqq-c256