CVE-2024-45036— Improper Access Control Vulnerability When Accessing a Maliciously Crafted Tophat Link
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-45036
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Access Control Vulnerability When Accessing a Maliciously Crafted Tophat Link
Source: NVD (National Vulnerability Database)
Vulnerability Description
Tophat is a mobile applications testing harness. An Improper Access Control vulnerability can expose the `TOPHAT_APP_TOKEN` token stored in `~/.tophatrc` through use of a malicious Tophat URL controlled by the attacker. The vulnerability allows Tophat to send this token to the attacker's server without any checks to ensure that the server is trusted. This token can then be used to access internal build artifacts, for mobile applications, not intended to be public. The issue has been patched as of version 1.10.0. The ability to request artifacts using a Tophat API has been deprecated as this flow was inherently insecure. Systems that have implemented this kind of endpoint should cease use and invalidate the token immediately. There are no workarounds and all users should update as soon as possible.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tophat 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tophat是Shopify开源的一个测试工具。 Tophat 1.10.0之前版本存在安全漏洞,该漏洞源于对TOPHAT_APP_TOKEN令牌的不正确保护,通过恶意构造的Tophat URL,未经验证的攻击者可以获取此令牌,从而访问原本不应公开的内部构建资源。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-45036
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-45036
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Shopify
- CVE-2026-39862
Tophat has a Command Injection Vulnerability When Accessing - CVE-2026-34060
Ruby LSP has arbitrary code execution through branch setting - CVE-2025-53623
Job Iteration API is vulnerable to OS Command Injection atta - CVE-2025-48069
ejson2env has insufficient input sanitization - CVE-2025-30221
Pitchfork HTTP Request/Response Splitting vulnerability
Same weakness: CWE-287
- CVE-2026-8244
Industrial Application Software IAS Canias ERP Login RMI imp - CVE-2026-8216
Industrial Application Software IAS Canias ERP Java RMI Sess - CVE-2026-8214
Industrial Application Software IAS Canias ERP RMI doAction - CVE-2026-42560
auth: Patreon provider assigns the same local user ID to eve - CVE-2026-41070
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, all
V. Comments for CVE-2024-45036
No comments yet