CVE-2024-12056 LOW

CVE-2024-12056: Client Secret not checked with OAuth Password grant type

Vendor Arcinfo
Product PcVue
Weakness CWE-358
Published December 4, 2024
Last update December 4, 2024

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/RE:M/U:Green

What the vulnerability does

01Description

The Client secret is not checked when using the OAuth Password grant type. By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment. Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.

Key dates

02Disclosure timeline

December 4, 2024 CVE published
December 4, 2024 Record updated