CVE-2024-39891
Vulnerability from cvelistv5
Published
2024-07-02 00:00
Modified
2024-08-02 04:33
Severity ?
EPSS score ?
Summary
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
References
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog
Date added: 2024-07-23
Due date: 2024-08-13
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Used in ransomware: Unknown
Notes: https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS; https://nvd.nist.gov/vuln/detail/CVE-2024-39891
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:twilio:authy_2-factor_authentication:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authy_2-factor_authentication",
"vendor": "twilio",
"versions": [
{
"lessThan": "26.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "25.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39891",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T03:55:42.678226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-23",
"reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T16:20:22.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2024-07-23T00:00:00+00:00",
"value": "CVE-2024-39891 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/203.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.twilio.com/en-us/changelog"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T22:07:07.423569",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://cwe.mitre.org/data/definitions/203.html"
},
{
"url": "https://www.twilio.com/docs/usage/security/reporting-vulnerabilities"
},
{
"url": "https://www.twilio.com/en-us/changelog"
},
{
"url": "https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-39891",
"datePublished": "2024-07-02T00:00:00",
"dateReserved": "2024-07-02T00:00:00",
"dateUpdated": "2024-08-02T04:33:11.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2024-39891",
"cwes": "[\"CWE-203\"]",
"dateAdded": "2024-07-23",
"dueDate": "2024-08-13",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS; https://nvd.nist.gov/vuln/detail/CVE-2024-39891",
"product": "Authy",
"requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.",
"vendorProject": "Twilio",
"vulnerabilityName": "Twilio Authy Information Disclosure Vulnerability"
},
"fkie_nvd": {
"cisaActionDue": "2024-08-13",
"cisaExploitAdd": "2024-07-23",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Twilio Authy Information Disclosure Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*\", \"versionEndExcluding\": \"26.1.0\", \"matchCriteriaId\": \"F645AEA3-6ACC-4386-ACA9-793E66DBF31E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*\", \"versionEndExcluding\": \"25.1.0\", \"matchCriteriaId\": \"07B60ED3-2C9B-46F8-9B6C-1FFB46067D06\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)\"}, {\"lang\": \"es\", \"value\": \"En la API de Twilio Authy, a la que acced\\u00edan Authy Android antes de la versi\\u00f3n 25.1.0 y Authy iOS antes de la versi\\u00f3n 26.1.0, un endpoint no autenticado proporcionaba acceso a determinados datos de n\\u00fameros de tel\\u00e9fono, como se explot\\u00f3 en junio de 2024. En concreto, el endpoint aceptaba un flujo de solicitudes que conten\\u00edan n\\u00fameros de tel\\u00e9fono y respond\\u00eda con informaci\\u00f3n sobre si cada n\\u00famero de tel\\u00e9fono estaba registrado en Authy. (Sin embargo, las cuentas de Authy no se vieron comprometidas).\"}]",
"id": "CVE-2024-39891",
"lastModified": "2024-12-20T16:15:33.687",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@mitre.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-07-02T18:15:03.447",
"references": "[{\"url\": \"https://cwe.mitre.org/data/definitions/203.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Technical Description\"]}, {\"url\": \"https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Press/Media Coverage\"]}, {\"url\": \"https://www.twilio.com/docs/usage/security/reporting-vulnerabilities\", \"source\": \"cve@mitre.org\", \"tags\": [\"Product\"]}, {\"url\": \"https://www.twilio.com/en-us/changelog\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://cwe.mitre.org/data/definitions/203.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Technical Description\"]}, {\"url\": \"https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Press/Media Coverage\"]}, {\"url\": \"https://www.twilio.com/docs/usage/security/reporting-vulnerabilities\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://www.twilio.com/en-us/changelog\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-39891\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-07-02T18:15:03.447\",\"lastModified\":\"2024-12-20T16:15:33.687\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)\"},{\"lang\":\"es\",\"value\":\"En la API de Twilio Authy, a la que acced\u00edan Authy Android antes de la versi\u00f3n 25.1.0 y Authy iOS antes de la versi\u00f3n 26.1.0, un endpoint no autenticado proporcionaba acceso a determinados datos de n\u00fameros de tel\u00e9fono, como se explot\u00f3 en junio de 2024. En concreto, el endpoint aceptaba un flujo de solicitudes que conten\u00edan n\u00fameros de tel\u00e9fono y respond\u00eda con informaci\u00f3n sobre si cada n\u00famero de tel\u00e9fono estaba registrado en Authy. (Sin embargo, las cuentas de Authy no se vieron comprometidas).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"cisaExploitAdd\":\"2024-07-23\",\"cisaActionDue\":\"2024-08-13\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Twilio Authy Information Disclosure Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twilio:authy:*:*:*:*:*:iphone_os:*:*\",\"versionEndExcluding\":\"26.1.0\",\"matchCriteriaId\":\"F645AEA3-6ACC-4386-ACA9-793E66DBF31E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twilio:authy_authenticator:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"25.1.0\",\"matchCriteriaId\":\"07B60ED3-2C9B-46F8-9B6C-1FFB46067D06\"}]}]}],\"references\":[{\"url\":\"https://cwe.mitre.org/data/definitions/203.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.twilio.com/docs/usage/security/reporting-vulnerabilities\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://www.twilio.com/en-us/changelog\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://cwe.mitre.org/data/definitions/203.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.twilio.com/docs/usage/security/reporting-vulnerabilities\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://www.twilio.com/en-us/changelog\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.