CVE-2024-3250: Pebble Api Auth Bypass
Pebble API endpoints `/v1/files` or websocket tasks are incorrectly configured with `UserOK: true` instead of `AdminOnly: true`. This allows unprivileged local users to read/write files and access sensitive task output, leading to a local authorization bypass. Ensure these sensitive endpoints are protected by setting `AdminOnly: true`.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
Goβ
Goβgreprules fetch cve-2024-3250-pebble-api-auth-bypass --engine opengrepDescription
Pebble API endpoints `/v1/files` or websocket tasks are incorrectly configured with `UserOK: true` instead of `AdminOnly: true`. This allows unprivileged local users to read/write files and access sensitive task output, leading to a local authorization bypass. Ensure these sensitive endpoints are protected by setting `AdminOnly: true`.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0