See Recorded Future’s Threat Intelligence Solutions in Action

See our Threat Intelligence Solutions in Action

Reduce risk and mitigate cyber attacks, no matter your IT & security stack, maturity journey, or industry

Book a free demo

View Solutions to Reduce Risk

See Recorded Future’s Intelligence in Action

Reduce operational risk through timely, precise, and actionable intelligence.

Book a free demo

Intelligence Cloud Overview

View Services & Support Overview

View Research Overview

CVE-2024-48987

CVSS 3.1 Score 6.6 of 10 (medium)

Details

Published Oct 11, 2024

Updated: Oct 15, 2024

Summary

CVE-2024-48987 affects versions of Snipe-IT prior to 7.0.10, allowing remote code execution due to issues with cookie serialization when an attacker knows the APP_KEY. This vulnerability is intensified by the availability of .env files in the product's repository that contain default APP_KEY values. Organizations employing affected products may face significant risks, including high integrity and confidentiality impacts, as well as potential unauthorized access, since the attack vector is network-based and requires high privileges but no user interaction. To remediate this vulnerability, it is essential to upgrade to Snipe-IT version 7.0.10 or later and ensure that sensitive configuration files are properly secured and not publicly accessible. The vulnerability is rated with a medium severity level, having a base score of 6.6 on the CVSS scale.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Advisories, Assessments, and Mitigations

Back to Vulnerability Database