CVE-2024-9671: System: pdf invoices of the developer users can be seen if the url is known

Description

A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed.

Classification

CVE ID: CVE-2024-9671

Affected Products

Vendor: Red Hat

Product: Red Hat 3scale API Management Platform 2

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-9671
https://bugzilla.redhat.com/show_bug.cgi?id=2317449

Timeline

2024-11-27 14:42:11 UTC
CVE

System: pdf invoices of the developer users can be seen if the url is known