CVE-2024-39314 MEDIUM

CVE-2024-39314: toy-blog administrative token leaked through the command line parameter

Vendor Kisaragieffective
Product toy-blog
Weakness CWE-214
Published July 1, 2024
Last update August 2, 2024

CVSS base score

4.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass `--read-bearer-token-from-stdin` to the launch arguments and feed the token from the standard input in version 0.4.14 or later. Earlier versions do not have this workaround.

Key dates

02Disclosure timeline

July 1, 2024 CVE published
August 2, 2024 Record updated