Auth bypass in Nixos Hydra
CVE-2024-45049
Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can…
Vulnerability class: Broken Authentication
EPSS: 0.006 (45.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Nixos Hydra — versions < f73043378907c2c7e44f633ad764c8bdd1c947d5
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Patch, Vendor Advisory)
- security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-45049?
- CVE-2024-45049 is a high-severity vulnerability in Nixos Hydra, classified under Missing Authentication for Critical Function. CVSS score: 7.5/10. Published 2024-08-27.
- How severe is CVE-2024-45049?
- High severity. CVSS v3 base score is 7.5 out of 10.