CVE-2024-42849 – A vulnerability in Silverpeas versions 6.4.2 an... (How to Fix)

Q: What is the severity of CVE-2024-42849?

CVE-2024-42849 has a CVSS score of 6.5 (MEDIUM). A vulnerability in Silverpeas versions 6.4.2 and earlier allows remote attackers to cause denial of service through the password change function. This affects all Silverpeas deployments running vulnerable versions, potentially disrupting service availability.

📋 TL;DR

A vulnerability in Silverpeas versions 6.4.2 and earlier allows remote attackers to cause denial of service through the password change function. This affects all Silverpeas deployments running vulnerable versions, potentially disrupting service availability.

💻 Affected Systems

Products:

Silverpeas

Versions: 6.4.2 and earlier

Operating Systems: All platforms running Silverpeas

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with password change functionality enabled are vulnerable.

📦 What is this software?

Silverpeas by Silverpeas

View all CVEs affecting Silverpeas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all users, requiring system restart or recovery procedures.

🟠

Likely Case

Temporary service disruption affecting user authentication and password management functions.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring in place.

🌐 Internet-Facing: HIGH - Remote attackers can exploit without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could still cause disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub, simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.3 or later

Vendor Advisory: http://silverpeas.com

Restart Required: Yes

Instructions:

1. Backup current installation. 2. Download Silverpeas 6.4.3 or later. 3. Follow upgrade instructions from vendor documentation. 4. Restart Silverpeas service.

🔧 Temporary Workarounds

Disable password change functionality

all

Temporarily disable the password change feature to prevent exploitation.

Modify Silverpeas configuration to remove password change endpoints

Implement rate limiting

all

Add rate limiting to password change requests to prevent DoS attacks.

Configure web server or application firewall to limit requests to /password endpoints

🧯 If You Can't Patch

Implement network-level rate limiting on password change endpoints
Monitor for abnormal password change request patterns and block suspicious IPs

🔍 How to Verify

Check if Vulnerable:

Check Silverpeas version via admin interface or configuration files. If version is 6.4.2 or earlier, system is vulnerable.

Check Version:

Check WEB-INF/version.properties or admin dashboard for version information

Verify Fix Applied:

Verify Silverpeas version is 6.4.3 or later and test password change functionality works normally.

📡 Detection & Monitoring

Log Indicators:

High volume of password change requests
Failed password change attempts from same IP
Unusual patterns in authentication logs

Network Indicators:

Excessive requests to password change endpoints
Spike in traffic to authentication services

SIEM Query:

source="silverpeas" AND (url="*/password*" OR event="password_change") | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2024-42849

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: August 16, 2024

Last Updated: June 5, 2025

🔗 References

http://silverpeas.com Product
https://github.com/njmbb8/CVE-2024-42849/tree/main Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42849, you might also want to check these: