Home > Vulnerability Database > CVE-2024-36108

Mend.io Vulnerability Database

CVE-2024-36108

Date: May 31, 2024

casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Go

Severity Score

9.8

Related Resources (4)

Url: https://github.com/casgate/casgate/security/advisories/GHSA-mj5q-rc67-h56c

Url: https://github.com/casgate/casgate/pull/201

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-36108

Url: https://www.mend.io/vulnerability-database/CVE-2024-36108

Severity Score

9.8

Weakness Type (CWE)

Improper Authorization

CWE-285

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-36108

Date: May 31, 2024

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?