Vulnerability Details CVE-2024-27905
** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.
An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.03
EPSS Ranking 85.9%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2024-27905
-
cpe:2.3:a:apache:aurora:0.10.0
-
cpe:2.3:a:apache:aurora:0.11.0
-
cpe:2.3:a:apache:aurora:0.12.0
-
cpe:2.3:a:apache:aurora:0.13.0
-
cpe:2.3:a:apache:aurora:0.14.0
-
cpe:2.3:a:apache:aurora:0.15.0
-
cpe:2.3:a:apache:aurora:0.16.0
-
cpe:2.3:a:apache:aurora:0.17.0
-
cpe:2.3:a:apache:aurora:0.18.0
-
cpe:2.3:a:apache:aurora:0.18.1
-
cpe:2.3:a:apache:aurora:0.19.0
-
cpe:2.3:a:apache:aurora:0.19.1
-
cpe:2.3:a:apache:aurora:0.20.0
-
cpe:2.3:a:apache:aurora:0.21.0
-
cpe:2.3:a:apache:aurora:0.22.0
-
cpe:2.3:a:apache:aurora:0.5.0
-
cpe:2.3:a:apache:aurora:0.6.0
-
cpe:2.3:a:apache:aurora:0.7.0
-
cpe:2.3:a:apache:aurora:0.8.0
-
cpe:2.3:a:apache:aurora:0.9.0