CVE-2024-4332 CRITICAL

CVE-2024-4332: Improper Authentication in Tripwire Enterprise 9.1.0 APIs

Vendor Fortra
Product Tripwire Enterprise
Weakness CWE-303
Published June 3, 2024
Last update August 29, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:C/RE:L/U:Red

What the vulnerability does

01Description

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.

Key dates

02Disclosure timeline

June 3, 2024 CVE published
August 29, 2025 Record updated