{"id":"CVE-2024-24825","summary":"TokenManager not checking permissions on cached tokens in DIRAC","details":"DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-59qj-jcjv-662j","PYSEC-2024-125"],"modified":"2026-04-10T05:10:57.107282Z","published":"2024-02-08T23:39:28.741Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24825.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-200"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24825.json"},{"type":"ADVISORY","url":"https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-59qj-jcjv-662j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24825"},{"type":"FIX","url":"https://github.com/DIRACGrid/DIRAC/commit/f9ddab755b9a69acb85e14d2db851d8ac0c9648c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/diracgrid/dirac","events":[{"introduced":"03afedf8673dfdbece043a8ff73e35527b407e30"},{"fixed":"dea0d2cfb820190a2682deb23351e9f7da468ed1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24825.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}