Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities found for codeium by codeium
FKIE_CVE-2024-28120
Vulnerability from fkie_nvd - Published: 2024-03-11 22:15 - Updated: 2025-02-26 18:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:codeium:codeium:1.2.52:*:*:*:*:chrome:*:*",
"matchCriteriaId": "986CD079-22AF-4BF8-A70B-9DC93F5D638C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn\u0027t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user\u0027s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."
},
{
"lang": "es",
"value": "codeium-chrome es un complemento de finalizaci\u00f3n de c\u00f3digo fuente abierto para el navegador web Chrome. El trabajador de servicio de la extensi\u00f3n codeium-chrome no verifica al remitente cuando recibe un mensaje externo. Esto permite a un atacante alojar un sitio web que robar\u00e1 la clave API de Codeium del usuario y, por lo tanto, se har\u00e1 pasar por el usuario en el servidor de autocompletar backend. Esta cuesti\u00f3n no se ha abordado. Se recomienda a los usuarios que supervisen el uso de su clave API."
}
],
"id": "CVE-2024-28120",
"lastModified": "2025-02-26T18:46:09.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-11T22:15:55.707",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-28120 (GCVE-0-2024-28120)
Vulnerability from cvelistv5 – Published: 2024-03-11 21:14 – Updated: 2024-08-02 00:48
VLAI?
Title
API key leak in codeium-chrome
Summary
codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Exafunction | codeium-chrome |
Affected:
<= 1.2.52
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T15:50:10.792594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:04:00.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "codeium-chrome",
"vendor": "Exafunction",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.2.52"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn\u0027t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user\u0027s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T21:14:22.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
}
],
"source": {
"advisory": "GHSA-8c7j-2h97-q63p",
"discovery": "UNKNOWN"
},
"title": "API key leak in codeium-chrome"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28120",
"datePublished": "2024-03-11T21:14:22.675Z",
"dateReserved": "2024-03-04T14:19:14.060Z",
"dateUpdated": "2024-08-02T00:48:49.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28120 (GCVE-0-2024-28120)
Vulnerability from nvd – Published: 2024-03-11 21:14 – Updated: 2024-08-02 00:48
VLAI?
Title
API key leak in codeium-chrome
Summary
codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Exafunction | codeium-chrome |
Affected:
<= 1.2.52
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T15:50:10.792594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:04:00.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "codeium-chrome",
"vendor": "Exafunction",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.2.52"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn\u0027t check the sender when receiving an external message. This allows an attacker to host a website that will steal the user\u0027s Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T21:14:22.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"
}
],
"source": {
"advisory": "GHSA-8c7j-2h97-q63p",
"discovery": "UNKNOWN"
},
"title": "API key leak in codeium-chrome"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28120",
"datePublished": "2024-03-11T21:14:22.675Z",
"dateReserved": "2024-03-04T14:19:14.060Z",
"dateUpdated": "2024-08-02T00:48:49.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}