Skip to main content

Hydra CVE-2024-45049

HIGH
Missing Authentication for Critical Function (CWE-306)
2024-08-27 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 27, 2024 - 21:15 cve.org
HIGH 7.5

DescriptionCVE.org

Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the /api/push route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.

AnalysisAI

Hydra is a Continuous Integration service for Nix based projects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Technical ContextAI

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the /api/push route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend. Affected products include: Nixos Hydra.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Require authentication for all sensitive operations, implement defense in depth.

More in Hydra

View all
CVE-2023-38701 CRITICAL POC
9.1 Oct 04

Hydra is the layer-two scalability solution for Cardano. Rated critical severity (CVSS 9.1), this vulnerability is remot

CVE-2023-42449 HIGH POC
8.1 Oct 04

Hydra is the two-layer scalability solution for Cardano. Rated high severity (CVSS 8.1), this vulnerability is remotely

CVE-2019-17502 HIGH POC
7.5 Oct 12

Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests that lack a Content-Le

CVE-2019-8400 MEDIUM POC
6.1 Feb 17

ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter. Rated medium

CVE-2023-42448 HIGH
8.1 Oct 04

Hydra is the layer-two scalability solution for Cardano. Rated high severity (CVSS 8.1), this vulnerability is remotely

CVE-2023-42806 MEDIUM
6.5 Sep 21

Hydra is the layer-two scalability solution for Cardano. Rated medium severity (CVSS 6.5), this vulnerability is remotel

CVE-2024-32657 MEDIUM
5.4 Apr 22

Hydra is a Continuous Integration service for Nix based projects. Rated medium severity (CVSS 5.4), this vulnerability i

CVE-2020-5300 MEDIUM
5.3 Apr 06

In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17,

CVE-2025-32435 LOW
2.6 Apr 15

Hydra is a Continuous Integration service for Nix based projects. Rated low severity (CVSS 2.6), this vulnerability is r

CVE-2025-54864 MEDIUM
6.9 Aug 12

Hydra is a continuous integration service for Nix based projects. Rated medium severity (CVSS 6.9), this vulnerability i

CVE-2025-54800 HIGH
7.1 Aug 12

Hydra is a continuous integration service for Nix based projects. Rated high severity (CVSS 7.1), this vulnerability is

Share

CVE-2024-45049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy