CVE-2024-23639

Description

### Summary Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. ### Details A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are ["simple"](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. ### Impact Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development.

How to fix CVE-2024-23639

To remediate CVE-2024-23639, upgrade the affected package to a fixed version below.

• —upgrade to 3.8.3 or later
• —upgrade to 3.8.3 or later
• —upgrade to 3.8.3 or later

Is CVE-2024-23639 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 3.8.3
• from 0, < 3.8.3
• from 0, < 3.8.3

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-23639
• PATCHgithub.com/micronaut-projects/micronaut-core
• WEBdeveloper.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
• WEBgithub.com/micronaut-projects/micronaut-core/commit/01adb21e57137caaf7004313d2055c5a78b1f47b