CVE-2024-4332

03.06.2024, 18:15

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Fortra	CNA	---	---
CISA-ADP	ADP	---	---
CVE	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 72%

Common Weakness Enumeration

CWE-303 - Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

References

https://www.fortra.com/security/advisory/fi-2024-006