CVE-2024-48920

Missing Authentication for Critical Function (CWE-306)

Published: Oct 17, 2024 / Updated: 33d ago

010
CVSS 9.1EPSS 0.05%Critical
CVE info copied to clipboard

Summary

PutongOJ, an online judging software, contains a vulnerability in versions prior to 2.1.0-beta.1 that allows unprivileged users to escalate privileges by constructing specific requests. This vulnerability is associated with CWE-306: Missing Authentication for Critical Function.

Impact

This vulnerability can lead to unauthorized access, enabling unprivileged users to perform admin-level operations. This could potentially compromise sensitive data and system integrity. The vulnerability has a high impact on confidentiality and integrity, but no impact on availability. With a CVSS v3.1 base score of 9.1, it is considered a critical severity issue.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 2.1.0-beta.1 of PutongOJ. For those unable to update immediately, a workaround is available by manually applying the patch from commit `211dfe9`.

Mitigation

The primary mitigation is to update PutongOJ to version 2.1.0-beta.1 or later. If immediate updating is not possible, system administrators should apply the patch from commit `211dfe9` manually. Additionally, it's recommended to monitor system logs for any suspicious activities that might indicate exploitation attempts, and to restrict network access to the PutongOJ system where possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48920

Oct 17, 2024 at 3:15 PM
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 17, 2024 at 3:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-48920. See article

Oct 17, 2024 at 3:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 17, 2024 at 3:24 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.6%)

Oct 18, 2024 at 10:19 AM
Static CVE Timeline Graph

Attack Patterns

CAPEC-12: Choosing Message Identifier
+null more

News

Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Update Mon Oct 21 22:28:30 UTC 2024
Update Mon Oct 21 22:28:30 UTC 2024
US-CERT Vulnerability Summary for the Week of October 14, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 [email protected] acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.--Social Link Groups Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309--PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Vulnerability Summary for the Week of October 14, 2024
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI