CVE-2024-53829
Published: 21 January 2025
Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions, including but not limited to adding, removing or editing products. The attacker needs to know the ID of the available products to modify or delete them. The attacker cannot directly exfiltrate data (view) from CodeChecker, due to being limited to form-based CSRF. This issue affects CodeChecker: through 6.24.4.
Security Summary
CVE-2024-53829 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, in CodeChecker, an analyzer tooling, defect database, and viewer extension for the Clang Static Analyzer and Clang Tidy. The flaw allows an unauthenticated attacker to hijack the authentication of a logged-in user and perform actions via the web API with the victim's permissions. It affects CodeChecker versions through 6.24.4 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N).
An unauthenticated attacker can exploit this vulnerability by tricking a logged-in user into interacting with a malicious webpage or resource that submits forged requests to the CodeChecker web API. Successful exploitation grants the attacker the same permissions as the victim, enabling actions such as adding, removing, or editing products. However, the attacker must know the IDs of existing products to modify or delete them and cannot directly exfiltrate data (e.g., view reports) due to the form-based nature of the CSRF limitation.
The GitHub security advisory at https://github.com/Ericsson/codechecker/security/advisories/GHSA-f8c8-4pm7-w885 provides details on the issue, including mitigation guidance. Affected users should upgrade to CodeChecker versions beyond 6.24.4, where the vulnerability is addressed.
Details
- CWE(s)