CVE-2024-6303 CRITICAL

CVE-2024-6303: Missing Authorization in Conduit

Vendor The Conduit Contributors
Product Conduit
Weakness CWE-862 · Missing authorization
Published June 25, 2024
Last update August 29, 2024

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more

Key dates

02Disclosure timeline

June 25, 2024 CVE published
August 29, 2024 Record updated