CVE-2024-45919 – A privilege escalation vulnerability in Solvait... (How to Fix)

Q: What is the severity of CVE-2024-45919?

CVE-2024-45919 has a CVSS score of 6.5 (MEDIUM). A privilege escalation vulnerability in Solvait version 24.4.2 allows attackers to bypass approval workflows by manipulating Request ID and Action Type parameters. This enables unauthorized access to sensitive information and fraudulent request approvals. Organizations using the affected Solvait version are impacted.

📋 TL;DR

A privilege escalation vulnerability in Solvait version 24.4.2 allows attackers to bypass approval workflows by manipulating Request ID and Action Type parameters. This enables unauthorized access to sensitive information and fraudulent request approvals. Organizations using the affected Solvait version are impacted.

💻 Affected Systems

Products:

Solvait

Versions: 24.4.2

Operating Systems: All platforms running Solvait

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the /AssignToMe/SetAction endpoint

📦 What is this software?

Solvait by Solvait

View all CVEs affecting Solvait →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through unauthorized privilege escalation, leading to data theft, financial fraud, and operational disruption.

🟠

Likely Case

Unauthorized approval of fraudulent requests and access to sensitive business information that should require approval.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though vulnerability remains exploitable by authenticated users.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Proof of concept available in GitHub gist, requires authenticated access but simple parameter manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check vendor website for security updates. If patch available, apply following vendor's deployment procedures.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or monitor requests to /AssignToMe/SetAction with unusual parameter patterns

WAF-specific configuration required

Access Restriction

all

Restrict access to /AssignToMe/SetAction endpoint to authorized users only

Network ACL or application-level access control configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate Solvait systems from sensitive data
Enable detailed logging and monitoring of all /AssignToMe/SetAction requests for anomalous patterns

🔍 How to Verify

Check if Vulnerable:

Check if running Solvait version 24.4.2 and test /AssignToMe/SetAction endpoint for parameter manipulation vulnerability

Check Version:

Application-specific version check - consult Solvait documentation

Verify Fix Applied:

Verify version is updated beyond 24.4.2 and test that parameter manipulation no longer bypasses approval workflows

📡 Detection & Monitoring

Log Indicators:

Multiple /AssignToMe/SetAction requests with manipulated Request ID or Action Type parameters
Unusual approval activity from non-authorized users

Network Indicators:

HTTP POST requests to /AssignToMe/SetAction with unexpected parameter values

SIEM Query:

source="solvait_logs" AND uri_path="/AssignToMe/SetAction" AND (param.RequestID NOT IN allowed_values OR param.ActionType NOT IN allowed_values)

📊 Metadata

CVE ID: CVE-2024-45919

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-269

Published: October 7, 2024

Last Updated: July 3, 2025

🔗 References

https://gist.github.com/ipxsec/28afaf965389283a68433c7afd54d17a Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45919, you might also want to check these: