CVE-2024-39899

CVSS V2 None CVSS V3 None

Description

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can shorten any URL pointing to the configured PrivateBin instance. The vulnerability allowed other URLs to be shortened, as long as they contain the PrivateBin instance, defeating the limit imposed by the proxy. This vulnerability is fixed in 1.7.4.

Overview

CVE ID
CVE-2024-39899

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-07-09T18:57:50.228Z

Last Modified Date
2024-07-09T18:57:50.228Z

Weakness Enumerations

CWE	URL
CWE-305	http://cwe.mitre.org/data/definitions/305.html
CWE-791	http://cwe.mitre.org/data/definitions/791.html

References

Reference URL	Reference Tags
https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j	x_refsource_CONFIRM
https://github.com/PrivateBin/PrivateBin/pull/1370	x_refsource_MISC
https://github.com/PrivateBin/PrivateBin/commit/0c4e810e6728f67d678458838d8430dfba4fcca4	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-39899
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39899

History

Created	Old Value	New Value	Data Type	Notes
2024-07-10 13:39:46				Added to TrackCVE