Description

Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1.

Related CPE's

a

retool

retool

Vulnerable

References

https://docs.retool.com/disclosures/cve-2024-42056

Vendor Advisory

https://docs.retool.com/releases

Release Notes

Weaknesses

[email protected]

Primary
CWE-532

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-352

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2024-08-21T23:15:03.460Z

1 year ago

Last modified

2025-03-13T17:15:43.603Z

1 year ago