CVE-2024-24757 – CVE-2024-24757 is an information exposure vulne... (How to Fix)

Q: What is the severity of CVE-2024-24757?

CVE-2024-24757 has a CVSS score of 7.6 (HIGH). CVE-2024-24757 is an information exposure vulnerability in open-irs where sensitive environment variables from the .env file were accidentally committed to Git repositories. This exposes API keys, credentials, and other secrets to anyone with repository access. Users of open-irs versions before 1.0.1 who have deployed the software are affected.

📋 TL;DR

CVE-2024-24757 is an information exposure vulnerability in open-irs where sensitive environment variables from the .env file were accidentally committed to Git repositories. This exposes API keys, credentials, and other secrets to anyone with repository access. Users of open-irs versions before 1.0.1 who have deployed the software are affected.

💻 Affected Systems

Products:

open-irs

Versions: Versions before 1.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where .env files were committed to version control, typically through Git actions workflows.

📦 What is this software?

Open Irs by Degamisu

View all CVEs affecting Open Irs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to all secrets stored in .env files, potentially compromising connected systems, databases, APIs, and enabling lateral movement or data exfiltration.

🟠

Likely Case

Exposed API keys and credentials are harvested and used for unauthorized access to third-party services or data breaches.

🟢

If Mitigated

Limited exposure if secrets were already rotated and .env files contained minimal sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to the Git repository (public or compromised). No special tools needed - just viewing the repository history.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1

Vendor Advisory: https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr

Restart Required: No

Instructions:

1. Update open-irs to version 1.0.1 or later. 2. Rotate all exposed secrets immediately. 3. Remove .env files from Git history using git filter-repo or BFG Repo-Cleaner.

🔧 Temporary Workarounds

Remove .env from Git history

all

Permanently remove .env files from Git repository history

git filter-repo --path .env --invert-paths
git push origin --force --all

Add .env to .gitignore

all

Prevent future commits of .env files

echo '.env' >> .gitignore
git add .gitignore
git commit -m 'Add .env to gitignore'

🧯 If You Can't Patch

Immediately rotate all secrets that were in .env files
Implement repository scanning to detect exposed secrets and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check if .env files exist in Git history: git log --all --full-history -- "**/.env"

Check Version:

Check package.json or version file for open-irs version

Verify Fix Applied:

Verify .env files are not in repository: git log --all --full-history -- "**/.env" should return no results

📡 Detection & Monitoring

Log Indicators:

Unauthorized API access using exposed keys
Failed authentication attempts with rotated credentials

Network Indicators:

Unexpected outbound connections to services using exposed API keys

SIEM Query:

source="git" AND (file="*.env" OR message="*.env")

📊 Metadata

CVE ID: CVE-2024-24757

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-200

Published: February 2, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr Third Party Advisory
https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24757, you might also want to check these: