CVE-2024-51505

CVE-2024-51505 is a privilege escalation vulnerability in Atos Eviden IDRA versions prior to 2.7.1, stemming from a race condition (CWE-362). A user with the highly trusted Config Admin role can exploit this flaw to elevate their privileges beyond their assigned access level. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for comprehensive impact across confidentiality, integrity, and availability in a changed scope.

Exploitation requires network access and high privileges (PR:H), specifically the Config Admin role, along with high attack complexity (AC:H) to successfully trigger the race condition. No user interaction is needed. A successful attack allows the exploit to achieve high impacts, enabling unauthorized control over the system through escalated privileges.

Advisories from Eviden (https://eviden.com) and Bull support (https://support.bull.com/ols/product/security/psirt/security-bulletins/potential-privilege-escalation-in-idpki-psirt-1335-tlp-clear-version-2-10-cve-2024-39327-cve-2024-39328-cve-2024-51505/view), under PSIRT bulletin 1335 (TLP Clear), address this as part of related privilege escalation issues in IDPKI. Mitigation involves upgrading to IDRA version 2.7.1 or later, where the race condition is resolved.