Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Coverity by Black Duck
CVE-2026-1496 (GCVE-0-2026-1496)
Vulnerability from nvd – Published: 2026-03-27 14:14 – Updated: 2026-03-27 14:36
VLAI?
Title
Coverity CLI Authentication Bypass
Summary
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
Severity ?
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Black Duck | Coverity |
Affected:
2024.3.0 , < 2025.12.0
(custom)
Unaffected: 2024.3.0A Unaffected: 2024.3.1A Unaffected: 2024.3.2A Unaffected: 2024.6.0A Unaffected: 2024.6.1A Unaffected: 2024.9.0A Unaffected: 2024.9.1A Unaffected: 2024.12.0A Unaffected: 2024.12.1A Unaffected: 2024.12.2 Unaffected: 2025.3.0A Unaffected: 2025.3.1A Unaffected: 2025.3.2 Unaffected: 2025.6.0A Unaffected: 2025.6.2A Unaffected: 2025.6.4 Unaffected: 2025.9.0A Unaffected: 2025.9.2A Unaffected: 2025.9.3 Unaffected: 2025.12.0A Unaffected: 2025.12.1 |
Date Public ?
2026-03-27 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:35:08.919139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:36:04.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Coverity",
"vendor": "Black Duck",
"versions": [
{
"lessThan": "2025.12.0",
"status": "affected",
"version": "2024.3.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2024.3.0A"
},
{
"status": "unaffected",
"version": "2024.3.1A"
},
{
"status": "unaffected",
"version": "2024.3.2A"
},
{
"status": "unaffected",
"version": "2024.6.0A"
},
{
"status": "unaffected",
"version": "2024.6.1A"
},
{
"status": "unaffected",
"version": "2024.9.0A"
},
{
"status": "unaffected",
"version": "2024.9.1A"
},
{
"status": "unaffected",
"version": "2024.12.0A"
},
{
"status": "unaffected",
"version": "2024.12.1A"
},
{
"status": "unaffected",
"version": "2024.12.2"
},
{
"status": "unaffected",
"version": "2025.3.0A"
},
{
"status": "unaffected",
"version": "2025.3.1A"
},
{
"status": "unaffected",
"version": "2025.3.2"
},
{
"status": "unaffected",
"version": "2025.6.0A"
},
{
"status": "unaffected",
"version": "2025.6.2A"
},
{
"status": "unaffected",
"version": "2025.6.4"
},
{
"status": "unaffected",
"version": "2025.9.0A"
},
{
"status": "unaffected",
"version": "2025.9.2A"
},
{
"status": "unaffected",
"version": "2025.9.3"
},
{
"status": "unaffected",
"version": "2025.12.0A"
},
{
"status": "unaffected",
"version": "2025.12.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:black_duck:coverity:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.12.0",
"versionStartIncluding": "2024.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.4:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.3:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.1:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Huong Kieu from Cenobe"
}
],
"datePublic": "2026-03-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u0026nbsp;\u003cspan\u003eA malicious actor with access to the\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003e/token\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eAPI endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eSuccessful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u00a0A malicious actor with access to the\u00a0/token\u00a0API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u00a0Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account."
}
],
"impacts": [
{
"capecId": "CAPEC-384",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:14:01.871Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "BlackDuck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance"
},
{
"tags": [
"related"
],
"url": "https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCustomers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\u003c/p\u003e\n\n\u003cp\u003ePatched versions:\u003c/p\u003e\n\n\u003cul\u003e\n \u003cli\u003e2025.12.1\u003c/li\u003e\n\u003cli\u003e2025.12.0A\u003c/li\u003e\u003cli\u003e2025.9.2A\u003c/li\u003e\u003cli\u003e2025.9.0A\u003c/li\u003e\u003cli\u003e2025.6.2A\u003c/li\u003e\u003cli\u003e2025.6.0A\u003c/li\u003e\u003cli\u003e2025.3.1A\u003c/li\u003e\u003cli\u003e2025.3.0A\u003c/li\u003e\u003cli\u003e2024.12.1A\u003c/li\u003e\u003cli\u003e2024.12.0A\u003c/li\u003e\u003cli\u003e2024.9.1A\u003c/li\u003e\u003cli\u003e\u003cspan\u003e2024.9.0A\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cp\u003eFull Installers:\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2025.12.1\u003c/li\u003e\u003cli\u003e2025.9.3\u003c/li\u003e\u003cli\u003e2025.6.4\u003c/li\u003e\u003cli\u003e2025.3.2\u003c/li\u003e\u003cli\u003e2024.12.2\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Customers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\n\n\n\nPatched versions:\n\n\n\n\n * 2025.12.1\n\n * 2025.12.0A\n * 2025.9.2A\n * 2025.9.0A\n * 2025.6.2A\n * 2025.6.0A\n * 2025.3.1A\n * 2025.3.0A\n * 2024.12.1A\n * 2024.12.0A\n * 2024.9.1A\n * 2024.9.0A\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFull Installers:\n\n\n\n\n\n * 2025.12.1\n * 2025.9.3\n * 2025.6.4\n * 2025.3.2\n * 2024.12.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Coverity CLI Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "BlackDuck",
"cveId": "CVE-2026-1496",
"datePublished": "2026-03-27T14:14:01.871Z",
"dateReserved": "2026-01-27T15:53:39.147Z",
"dateUpdated": "2026-03-27T14:36:04.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12021 (GCVE-0-2024-12021)
Vulnerability from nvd – Published: 2025-03-31 14:00 – Updated: 2025-03-31 15:13
VLAI?
Title
Stored Cross-Site Scripting
Summary
Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Black Duck | Coverity |
Affected:
0 , < 2024.9.0
(custom)
|
Date Public ?
2025-03-31 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T15:11:30.538255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:13:06.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Coverity",
"vendor": "Black Duck",
"versions": [
{
"lessThan": "2024.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jozef Frantisek Stefanovic"
}
],
"datePublic": "2025-03-31T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting."
}
],
"value": "Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T14:00:20.216Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "BlackDuck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.blackduck.com/s/article/Black-Duck-Product-Security-Advisory-CVE-2024-12021"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade the Coverity Platform version to 2024.9.0 at a minimum."
}
],
"value": "Upgrade the Coverity Platform version to 2024.9.0 at a minimum."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "BlackDuck",
"cveId": "CVE-2024-12021",
"datePublished": "2025-03-31T14:00:20.216Z",
"dateReserved": "2024-12-02T14:24:56.859Z",
"dateUpdated": "2025-03-31T15:13:06.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-1496 (GCVE-0-2026-1496)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:14 – Updated: 2026-03-27 14:36
VLAI?
Title
Coverity CLI Authentication Bypass
Summary
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
Severity ?
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Black Duck | Coverity |
Affected:
2024.3.0 , < 2025.12.0
(custom)
Unaffected: 2024.3.0A Unaffected: 2024.3.1A Unaffected: 2024.3.2A Unaffected: 2024.6.0A Unaffected: 2024.6.1A Unaffected: 2024.9.0A Unaffected: 2024.9.1A Unaffected: 2024.12.0A Unaffected: 2024.12.1A Unaffected: 2024.12.2 Unaffected: 2025.3.0A Unaffected: 2025.3.1A Unaffected: 2025.3.2 Unaffected: 2025.6.0A Unaffected: 2025.6.2A Unaffected: 2025.6.4 Unaffected: 2025.9.0A Unaffected: 2025.9.2A Unaffected: 2025.9.3 Unaffected: 2025.12.0A Unaffected: 2025.12.1 |
Date Public ?
2026-03-27 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:35:08.919139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:36:04.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Coverity",
"vendor": "Black Duck",
"versions": [
{
"lessThan": "2025.12.0",
"status": "affected",
"version": "2024.3.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2024.3.0A"
},
{
"status": "unaffected",
"version": "2024.3.1A"
},
{
"status": "unaffected",
"version": "2024.3.2A"
},
{
"status": "unaffected",
"version": "2024.6.0A"
},
{
"status": "unaffected",
"version": "2024.6.1A"
},
{
"status": "unaffected",
"version": "2024.9.0A"
},
{
"status": "unaffected",
"version": "2024.9.1A"
},
{
"status": "unaffected",
"version": "2024.12.0A"
},
{
"status": "unaffected",
"version": "2024.12.1A"
},
{
"status": "unaffected",
"version": "2024.12.2"
},
{
"status": "unaffected",
"version": "2025.3.0A"
},
{
"status": "unaffected",
"version": "2025.3.1A"
},
{
"status": "unaffected",
"version": "2025.3.2"
},
{
"status": "unaffected",
"version": "2025.6.0A"
},
{
"status": "unaffected",
"version": "2025.6.2A"
},
{
"status": "unaffected",
"version": "2025.6.4"
},
{
"status": "unaffected",
"version": "2025.9.0A"
},
{
"status": "unaffected",
"version": "2025.9.2A"
},
{
"status": "unaffected",
"version": "2025.9.3"
},
{
"status": "unaffected",
"version": "2025.12.0A"
},
{
"status": "unaffected",
"version": "2025.12.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:black_duck:coverity:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.12.0",
"versionStartIncluding": "2024.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.4:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.3:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.1:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Huong Kieu from Cenobe"
}
],
"datePublic": "2026-03-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u0026nbsp;\u003cspan\u003eA malicious actor with access to the\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003e/token\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eAPI endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eSuccessful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u00a0A malicious actor with access to the\u00a0/token\u00a0API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u00a0Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account."
}
],
"impacts": [
{
"capecId": "CAPEC-384",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:14:01.871Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "BlackDuck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance"
},
{
"tags": [
"related"
],
"url": "https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCustomers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\u003c/p\u003e\n\n\u003cp\u003ePatched versions:\u003c/p\u003e\n\n\u003cul\u003e\n \u003cli\u003e2025.12.1\u003c/li\u003e\n\u003cli\u003e2025.12.0A\u003c/li\u003e\u003cli\u003e2025.9.2A\u003c/li\u003e\u003cli\u003e2025.9.0A\u003c/li\u003e\u003cli\u003e2025.6.2A\u003c/li\u003e\u003cli\u003e2025.6.0A\u003c/li\u003e\u003cli\u003e2025.3.1A\u003c/li\u003e\u003cli\u003e2025.3.0A\u003c/li\u003e\u003cli\u003e2024.12.1A\u003c/li\u003e\u003cli\u003e2024.12.0A\u003c/li\u003e\u003cli\u003e2024.9.1A\u003c/li\u003e\u003cli\u003e\u003cspan\u003e2024.9.0A\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cp\u003eFull Installers:\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2025.12.1\u003c/li\u003e\u003cli\u003e2025.9.3\u003c/li\u003e\u003cli\u003e2025.6.4\u003c/li\u003e\u003cli\u003e2025.3.2\u003c/li\u003e\u003cli\u003e2024.12.2\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Customers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\n\n\n\nPatched versions:\n\n\n\n\n * 2025.12.1\n\n * 2025.12.0A\n * 2025.9.2A\n * 2025.9.0A\n * 2025.6.2A\n * 2025.6.0A\n * 2025.3.1A\n * 2025.3.0A\n * 2024.12.1A\n * 2024.12.0A\n * 2024.9.1A\n * 2024.9.0A\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFull Installers:\n\n\n\n\n\n * 2025.12.1\n * 2025.9.3\n * 2025.6.4\n * 2025.3.2\n * 2024.12.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Coverity CLI Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "BlackDuck",
"cveId": "CVE-2026-1496",
"datePublished": "2026-03-27T14:14:01.871Z",
"dateReserved": "2026-01-27T15:53:39.147Z",
"dateUpdated": "2026-03-27T14:36:04.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12021 (GCVE-0-2024-12021)
Vulnerability from cvelistv5 – Published: 2025-03-31 14:00 – Updated: 2025-03-31 15:13
VLAI?
Title
Stored Cross-Site Scripting
Summary
Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Black Duck | Coverity |
Affected:
0 , < 2024.9.0
(custom)
|
Date Public ?
2025-03-31 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T15:11:30.538255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:13:06.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Coverity",
"vendor": "Black Duck",
"versions": [
{
"lessThan": "2024.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jozef Frantisek Stefanovic"
}
],
"datePublic": "2025-03-31T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting."
}
],
"value": "Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting (XSS) in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site scripting."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T14:00:20.216Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "BlackDuck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.blackduck.com/s/article/Black-Duck-Product-Security-Advisory-CVE-2024-12021"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade the Coverity Platform version to 2024.9.0 at a minimum."
}
],
"value": "Upgrade the Coverity Platform version to 2024.9.0 at a minimum."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "BlackDuck",
"cveId": "CVE-2024-12021",
"datePublished": "2025-03-31T14:00:20.216Z",
"dateReserved": "2024-12-02T14:24:56.859Z",
"dateUpdated": "2025-03-31T15:13:06.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}