Skip to main content

Conduit

5 CVEs product

Monthly

CVE-2024-6303 HIGH This Week

Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Conduit
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-6302 MEDIUM This Month

Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Conduit
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-6301 HIGH This Week

Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Conduit
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-6300 MEDIUM This Month

Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Conduit
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-6299 LOW Monitor

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Conduit
NVD
CVSS 3.1
3.7
EPSS
0.2%
EPSS 0% CVSS 8.8
HIGH This Week

Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Conduit
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Conduit
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Conduit
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Conduit
NVD
EPSS 0% CVSS 3.7
LOW Monitor

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Conduit
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy