Login Sign Up

CVE-2024-34706

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability exposes user access tokens (JWTs) to the api.form.io domain when opening forms in Valtimo, allowing attackers to steal tokens and impersonate users. Attackers can retrieve personal information or execute API requests as the compromised user. Organizations using unpatched Valtimo versions with the Form.io component are affected.

💻 Affected Systems

Products:
  • Valtimo business process and case management platform
Versions: All versions before 10.8.4, 11.1.6, and 11.2.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Form.io component misconfiguration and network access to api.form.io domain

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, unauthorized access to sensitive business data, privilege escalation, and potential data exfiltration from the Valtimo platform.

🟠

Likely Case

Unauthorized access to user-specific data and limited API operations within the token's 5-minute TTL window.

🟢

If Mitigated

Limited impact with proper network segmentation, token monitoring, and short TTLs, though token exposure remains a concern.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires network access to api.form.io traffic and token interception within 5-minute TTL

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.8.4, 11.1.6, or 11.2.2

Vendor Advisory: https://github.com/valtimo-platform/valtimo-frontend-libraries/security/advisories/GHSA-xcp4-62vj-cq3r

Restart Required: Yes

Instructions:

1. Update Valtimo to version 10.8.4, 11.1.6, or 11.2.2. 2. Apply the security patches from the GitHub commits. 3. Restart the Valtimo application.

🔧 Temporary Workarounds

Network segmentation for api.form.io

all

Restrict network access to the api.form.io domain to prevent token interception

Reduce JWT TTL

all

Decrease the access token time-to-live to minimize exposure window

keycloak config update --realm <realm> --access-token-lifespan 60

🧯 If You Can't Patch

  • Implement strict network monitoring for traffic to api.form.io domain
  • Enable detailed logging of all JWT token usage and monitor for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check if Valtimo version is below 10.8.4, 11.1.6, or 11.2.2 and inspect network traffic for x-jwt-token headers sent to api.form.io

Check Version:

Check Valtimo application configuration or package.json for version information

Verify Fix Applied:

Confirm Valtimo is updated to patched version and verify x-jwt-token headers are no longer sent to api.form.io

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests with valid JWTs from unexpected sources
  • Multiple failed authentication attempts followed by successful token usage

Network Indicators:

  • Traffic to api.form.io containing x-jwt-token headers
  • Unusual outbound connections from Valtimo instances

SIEM Query:

source="valtimo" AND (http.header="x-jwt-token" OR destination="api.form.io")

📊 Metadata

CVE ID: CVE-2024-34706
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Published: May 14, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34706, you might also want to check these:

CVE-2021-32724 9.9

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers...

Same vulnerability type (CWE-532)
CVE-2022-36407 9.9

This vulnerability allows local users to gain sensitive information through insertion of sensitive d...

Same vulnerability type (CWE-532)
CVE-2025-6391 9.8

Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attacke...

Same vulnerability type (CWE-532)