Cyber Posture

CVE-2024-48590

Critical

Published: 20 March 2025

Published
20 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0215 84.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

Inflectra SpiraTeam 7.2.00 is vulnerable to a Server-Side Request Forgery (SSRF) issue, tracked as CVE-2024-48590 and published on 2025-03-20, through its NewsReaderService component. This vulnerability, mapped to CWE-918, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by an unauthenticated attacker over the network with low attack complexity and no user interaction required. Exploitation enables privilege escalation and access to sensitive information, allowing the attacker to compromise the targeted SpiraTeam instance.

Further details, including potential mitigation guidance or patches, are available in the advisory at https://github.com/GCatt-AS/CVE-2024-48590/blob/main/README.md.

Details

CWE(s)
CWE-918

Affected Products

inflectra
spirateam
7.2.00

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SSRF vulnerability (CVE-2024-48590) in public-facing SpiraTeam application enables exploitation of public-facing application (T1190) for privilege escalation (T1068) and obtaining sensitive information.

References