VYPR
Unrated severityNVD Advisory· Published Feb 27, 2024· Updated Apr 22, 2025

Apache Aurora: padding oracle can allow construction an authentication cookie

CVE-2024-27905

Description

UNSUPPORTED WHEN ASSIGNED Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.

An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Apache/Aurorallm-fuzzy
  • Apache Software Foundation/Apache Aurorav5
    Range: 0.5.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.