Bug 2310406 (CVE-2024-8509) - CVE-2024-8509 Migration Toolkit for Virtualization: forklift-controller: Empty bearer token may perform authentication Key Information: 1. Bug ID: Bug 2310406 2. CVE IDs: CVE-2024-8509, CVE-2024-8509 3. Product: Migration Toolkit for Virtualization 4. Component: forklift-controller 5. Severity: High 6. Status: New 7. Reported: 2024-09-06 12:56 UTC by OSIDB Bzimport 8. Modified: 2024-09-06 14:44 UTC 9. Assignee: Product Security DevOps Team 10. Doc Type: Vulnerability 11. Doc Text: A vulnerability was found in Forklift Controller. There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information. 12. URL: Link to the bug report 13. Priority: High 14. OS: Linux 15. Target Milestone: --- 16. Dependencies: Depends on / blocked by TreeView+ 17. Attachments: Attachment Vulnerability Description: Description: A security vulnerability against the API. No verification is being performed against the Authorization header except ensuring that it uses bearer authentication. Example: A malicious user can make a query against the API with a random string bearer token as shown below: Impact: Without an Authorization header and some form of Bearer token, a 401 error occurs. However, the mere presence of a token value provides a 200 response with the requested information. Additional Information: CC List: 0 users Embargoed: No Last Closed: N/A Environment: N/A Fixed In Version: N/A QA Contact: N/A Whiteboard: N/A URL: N/A Priority: High Target Milestone: N/A Assignee: Product Security DevOps Team Docs Contact: N/A Attachments: Attachment