CVE-2024-45049

EUVD-2024-41284

27.08.2024, 21:15

Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 58%

Affected Products (NVD)

Vendor	Product	Version
nixos	hydra	𝑥 < 2024-08-27

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
nixos	hydra	𝑥 < f73043378907c2c7e44f633ad764c8bdd1c947d5	ADP

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5

https://github.com/NixOS/hydra/security/advisories/GHSA-xv29-v93r-2f5v

https://github.com/NixOS/nixpkgs/pull/337766

https://mastodon.delroth.net/@delroth/113029832631860419