Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Migration Toolkit for Virtualization 2.6 by Red Hat

    CVE-2024-8509 (GCVE-0-2024-8509)

    Vulnerability from nvd – Published: 2024-09-06 15:17 – Updated: 2025-11-20 07:34
    VLAI
    Title
    Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication
    Summary
    A vulnerability was found in Forklift Controller.  There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:6487 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-8509 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2310406 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 2.6.6 (semver)
    Red Hat Migration Toolkit for Virtualization 2.6 Unaffected: 2.6.6-2 , < * (rpm)
        cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9
        cpe:/a:redhat:migration_toolkit_virtualization:2.6::el8
    Create a notification for this product.
    Date Public
    2024-09-06 00:00
    Credits
    This issue was discovered by Andrew Block (Red Hat).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8509",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-06T15:33:00.374909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-06T15:33:14.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/kubev2v/forklift",
              "defaultStatus": "unaffected",
              "packageName": "forklift-controller",
              "versions": [
                {
                  "lessThan": "2.6.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9",
                "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "migration-toolkit-virtualization/mtv-api-rhel9",
              "product": "Migration Toolkit for Virtualization 2.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.6.6-2",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by Andrew Block (Red Hat)."
            }
          ],
          "datePublic": "2024-09-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T07:34:11.943Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:6487",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:6487"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-8509"
            },
            {
              "name": "RHBZ#2310406",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310406"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-06T12:47:14.382Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-09-06T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_redhatCweChain": "CWE-285: Improper Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-8509",
        "datePublished": "2024-09-06T15:17:49.225Z",
        "dateReserved": "2024-09-06T12:47:08.205Z",
        "dateUpdated": "2025-11-20T07:34:11.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8509 (GCVE-0-2024-8509)

    Vulnerability from cvelistv5 – Published: 2024-09-06 15:17 – Updated: 2025-11-20 07:34
    VLAI
    Title
    Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication
    Summary
    A vulnerability was found in Forklift Controller.  There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2024:6487 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-8509 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2310406 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 2.6.6 (semver)
    Red Hat Migration Toolkit for Virtualization 2.6 Unaffected: 2.6.6-2 , < * (rpm)
        cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9
        cpe:/a:redhat:migration_toolkit_virtualization:2.6::el8
    Create a notification for this product.
    Date Public
    2024-09-06 00:00
    Credits
    This issue was discovered by Andrew Block (Red Hat).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8509",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-06T15:33:00.374909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-06T15:33:14.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/kubev2v/forklift",
              "defaultStatus": "unaffected",
              "packageName": "forklift-controller",
              "versions": [
                {
                  "lessThan": "2.6.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el9",
                "cpe:/a:redhat:migration_toolkit_virtualization:2.6::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "migration-toolkit-virtualization/mtv-api-rhel9",
              "product": "Migration Toolkit for Virtualization 2.6",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.6.6-2",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by Andrew Block (Red Hat)."
            }
          ],
          "datePublic": "2024-09-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Forklift Controller.\u00a0 There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T07:34:11.943Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2024:6487",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2024:6487"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-8509"
            },
            {
              "name": "RHBZ#2310406",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310406"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-06T12:47:14.382Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-09-06T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_redhatCweChain": "CWE-285: Improper Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-8509",
        "datePublished": "2024-09-06T15:17:49.225Z",
        "dateReserved": "2024-09-06T12:47:08.205Z",
        "dateUpdated": "2025-11-20T07:34:11.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }