CVE-2024-12564: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ODA CDE inWEB SDK before 2025.3

6.9 CVSS

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation.

Classification

CVE ID: CVE-2024-12564

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.9

Affected Products

Vendor: Open Design Alliance

Product: CDE inWEB SDK

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://www.opendesign.com/security-advisories

Timeline

2024-12-13 00:30:31 UTC
CVE

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ODA CDE inWEB SDK before 2025.3