Home > Vulnerability Database > CVE-2024-21491

Mend.io Vulnerability Database

CVE-2024-21491

Good to know:

Date: February 13, 2024

Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.

Language: RUST

Severity Score

5.9

Related Resources (7)

Url: https://rustsec.org/advisories/RUSTSEC-2024-0010.html

Url: https://github.com/svix/svix-webhooks/pull/1190

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21491

Url: https://github.com/svix/svix-webhooks

Url: https://crates.io/crates/svix

Url: https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6

Url: https://www.mend.io/vulnerability-database/CVE-2024-21491

Severity Score

5.9

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Authentication Bypass Using an Alternate Path or Channel

CWE-288

Top Fix

Upgrade Version

Upgrade to version svix - 1.17.0

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21491

Good to know:

Date: February 13, 2024

Language: RUST

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?