CVE-2024-24825 CRITICAL

CVE-2024-24825: TokenManager not checking permissions on cached tokens in DIRAC

Vendor Diracgrid

Product DIRAC

Weakness CWE-200 · Info exposure

Published February 8, 2024

Last update June 17, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 8, 2024 CVE published

June 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-24825

Related vulnerabilities

CVE-2024-24825: TokenManager not checking permissions on cached tokens in DIRAC

01Description

02Disclosure timeline

03References

04Related CVE