CVE-2024-28120 (GCVE-0-2024-28120)

Vulnerability from cvelistv5 – Published: 2024-03-11 21:14 – Updated: 2024-08-02 00:48
VLAI?
Title
API key leak in codeium-chrome
Summary
codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE
  • CWE-284 - Improper Access Control
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
Exafunction codeium-chrome Affected: <= 1.2.52
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28120",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T15:50:10.792594Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T18:04:00.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.158Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
          },
          {
            "name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "codeium-chrome",
          "vendor": "Exafunction",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.2.52"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn\u0027t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user\u0027s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-11T21:14:22.675Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
        },
        {
          "name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
        }
      ],
      "source": {
        "advisory": "GHSA-8c7j-2h97-q63p",
        "discovery": "UNKNOWN"
      },
      "title": "API key leak in codeium-chrome"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28120",
    "datePublished": "2024-03-11T21:14:22.675Z",
    "dateReserved": "2024-03-04T14:19:14.060Z",
    "dateUpdated": "2024-08-02T00:48:49.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28120\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-11T22:15:55.707\",\"lastModified\":\"2025-02-26T18:46:09.633\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn\u0027t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user\u0027s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.\"},{\"lang\":\"es\",\"value\":\"codeium-chrome es un complemento de finalizaci\u00f3n de c\u00f3digo fuente abierto para el navegador web Chrome. El trabajador de servicio de la extensi\u00f3n codeium-chrome no verifica al remitente cuando recibe un mensaje externo. Esto permite a un atacante alojar un sitio web que robar\u00e1 la clave API de Codeium del usuario y, por lo tanto, se har\u00e1 pasar por el usuario en el servidor de autocompletar backend. Esta cuesti\u00f3n no se ha abordado. Se recomienda a los usuarios que supervisen el uso de su clave API.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:codeium:codeium:1.2.52:*:*:*:*:chrome:*:*\",\"matchCriteriaId\":\"986CD079-22AF-4BF8-A70B-9DC93F5D638C\"}]}]}],\"references\":[{\"url\":\"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p\", \"name\": \"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome\", \"name\": \"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:48:49.158Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28120\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-12T15:50:10.792594Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:16.981Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"API key leak in codeium-chrome\", \"source\": {\"advisory\": \"GHSA-8c7j-2h97-q63p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Exafunction\", \"product\": \"codeium-chrome\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.2.52\"}]}], \"references\": [{\"url\": \"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p\", \"name\": \"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome\", \"name\": \"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn\u0027t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user\u0027s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-11T21:14:22.675Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-28120\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T00:48:49.158Z\", \"dateReserved\": \"2024-03-04T14:19:14.060Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-11T21:14:22.675Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.