CVE-2024-36042: Silverpeas authentication bypass

June 3, 2024 (updated June 4, 2024)

Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access.

References

gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d
github.com/Silverpeas/Silverpeas-Core
github.com/Silverpeas/Silverpeas-Core/commit/11fb5e21c252ce4751b85fccf5b8076156e0b4f0
github.com/advisories/GHSA-4w54-wwc9-x62c
nvd.nist.gov/vuln/detail/CVE-2024-36042
silverpeas.org/

Detect and mitigate CVE-2024-36042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →