CVE-2025-48024

In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/bluewave-labs/Checkmate/commit/36d78a9aa4ed607ca1bd2b5fdaca5a3927b2d287
https://github.com/bluewave-labs/Checkmate/commit/7a855ef47adf2265121c236097059c7c6555fd7c
https://github.com/bluewave-labs/Checkmate/commit/91c2f7f0d5106bdfd4a0ff2c14b7e44acc3baee6
https://github.com/bluewave-labs/Checkmate/pull/2227
https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-jjmg-cjr4-439m

Configurations

No configuration.

History

16 May 2025, 14:43

Type	Values Removed	Values Added
Summary		(es) En BlueWave Checkmate anterior a 2.1, un usuario regular autenticado puede acceder a secretos confidenciales de la aplicación a través del endpoint /api/v1/settings.

15 May 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-15 05:15

Updated : 2025-05-16 14:43

NVD link : CVE-2025-48024

Mitre link : CVE-2025-48024

CVE.ORG link : CVE-2025-48024

JSON object : View

Products Affected

No product.

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

5.0 /10