How severe is CVE-2024-51504?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-51504?

This is classified as CWE-290, which is a common weakness in software security.

CVE-2024-51504

CRITICAL Year: 2024

CVSS v3 Score

9.1

Critical

Weakness Type

CWE-290

View all →

Vulnerability Description

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

CVE-2017-14487

CRITICAL

CVSS:9.1(Critical)

The OhMiBod Remote app for Android and iOS allows remote attackers to impersonate users by sniffing network traffic for search responses from the OhMiBod API server and then editing the username, user...

CWE-2902017

CVE-2019-12131

CRITICAL

CVSS:9.1(Critical)

An issue was detected in ONAP APPC through Dublin and SDC through Dublin. By setting a USER_ID parameter in an HTTP header, an attacker may impersonate an arbitrary existing user without any authentic...

CWE-2902019

CVE-2020-11015

CRITICAL

CVSS:9.1(Critical)

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and s...

CWE-2902020

CVE-2021-22779

CRITICAL

CVSS:9.1(Critical)

Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoSt...

CWE-2902021

CVE-2021-38598

CRITICAL

CVSS:9.1(Critical)

OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending ca...

CWE-2902021

CVE-2022-39227

CRITICAL

CVSS:9.1(Critical)

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or auth...

CWE-2902022

CVE-2024-51504

Vulnerability Description

Related Vulnerabilities

CVE-2017-14487

CVE-2019-12131

CVE-2020-11015

CVE-2021-22779

CVE-2021-38598

CVE-2022-39227