CVE-2024-12056

The Client secret is not checked when using the OAuth Password grant type. By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment. Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.

CVSS

No CVSS.

References

Link	Resource
https://www.pcvue.com/security/security/#SB2024-4

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El secreto del cliente no se comprueba cuando se utiliza el tipo de concesión de contraseña de OAuth. Al explotar esta vulnerabilidad, un atacante podría conectarse a un servidor web mediante una aplicación cliente no autorizada explícitamente como parte de la implementación de OAuth. La explotación requiere credenciales válidas y no permite al atacante eludir los privilegios de usuario.

04 Dec 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-04 15:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-12056

Mitre link : CVE-2024-12056

CVE.ORG link : CVE-2024-12056

JSON object : View

Products Affected

No product.

CWE

CWE-358

Improperly Implemented Security Check for Standard

{"id": "CVE-2024-12056", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 2.3, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:M/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-12-04T15:15:09.700", "references": [{"url": "https://www.pcvue.com/security/security/#SB2024-4", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "description": [{"lang": "en", "value": "CWE-358"}]}], "descriptions": [{"lang": "en", "value": "The Client secret is not checked when using the OAuth Password grant type.\n\nBy exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.\nExploitation requires valid credentials and does not permit the attacker to bypass user privileges."}, {"lang": "es", "value": "El secreto del cliente no se comprueba cuando se utiliza el tipo de concesi\u00f3n de contrase\u00f1a de OAuth. Al explotar esta vulnerabilidad, un atacante podr\u00eda conectarse a un servidor web mediante una aplicaci\u00f3n cliente no autorizada expl\u00edcitamente como parte de la implementaci\u00f3n de OAuth. La explotaci\u00f3n requiere credenciales v\u00e1lidas y no permite al atacante eludir los privilegios de usuario."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932"}