CVE-2024-31525
Published: 05 March 2025
Description
Adversaries may create an account to maintain access to victim systems.
Security Summary
CVE-2024-31525 is an incorrect access control vulnerability (CWE-306) in Peppermint Ticket Management version 0.4.6. The issue arises because the authorization mechanism is validated only on the client side and not on the server side, allowing unauthorized privilege escalation. Published on 2025-03-05, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high confidentiality, integrity, and availability impacts.
A regular registered user can exploit this vulnerability over the network with low complexity and no user interaction required. By bypassing client-side checks, the attacker elevates their privileges to administrator level, achieving complete access to the system. This enables actions such as creating a new admin user, which provides persistent administrative access for the attacker.
References point to the CWE-285 definition (related to improper authorization) and GitHub issue #258 in the Peppermint-Lab/peppermint repository, which documents the vulnerability. No specific mitigation or patch details are outlined in the provided references.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables privilege escalation from regular user to admin via client-side auth bypass (T1068); admin access directly facilitates creating new admin account for persistence (T1136).