CVE-2024-50967

CVE-2024-50967 is an Incorrect Access Control vulnerability (CWE-862) affecting the /rest/rights/ REST API endpoint in Becon DATAGerry through version 2.2.0. This flaw allows remote access to the endpoint without authentication, resulting in the unauthorized disclosure of sensitive information. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, user interaction, and high confidentiality impact.

A remote attacker with no privileges can exploit this vulnerability by directly accessing the /rest/rights/ endpoint over the network. Although user interaction is required per the CVSS vector, the core issue enables unauthenticated retrieval of sensitive data, potentially exposing rights or permissions information that could aid further attacks or reconnaissance.

Mitigation guidance and additional details are provided in official advisories, including the DATAGerry REST API documentation at https://datagerry.readthedocs.io/en/latest/api/rest/user-management.html#rights, a GitHub repository at https://github.com/0xByteHunter/CVE-2024-50967, and a Medium article by the discoverer at https://medium.com/@0xbytehunter/my-first-cve-discovery-of-broken-access-control-in-the-datagerry-platform-7b0404f88a43. Security practitioners should review these resources for patching instructions and workarounds, as DATAGerry versions through 2.2.0 remain vulnerable.