CVE-2024-42172
Published: 11 January 2025
Description
HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications.
Security Summary
CVE-2024-42172 is a broken authentication vulnerability affecting HCL MyXalytics. It stems from poor configuration, logic errors, or software bugs that enable attackers to compromise keys, passwords, and session tokens. The issue is classified under CWE-287 (Improper Authentication) and CWE-522 (Insufficiently Protected Credentials), with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity primarily due to low-impact confidentiality disclosure over the network without privileges.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows compromise of authentication credentials, potentially leading to identity theft and full system control. The vulnerability impacts any applications with access control mechanisms integrated via HCL MyXalytics, such as databases, network infrastructure, and web applications.
HCL has issued a knowledge base article detailing mitigation: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149. Security practitioners should consult this advisory for specific patches, configuration guidance, or workarounds to address the broken authentication.
Details
- CWE(s)