Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks (eg. public wifi, malicious DNS servers) may have all GraphQL request and response headers and bodies fully compromised including authorization tokens. The attack also allows obtaining full access to any signed-in Altair GraphQL Cloud account and replacing payment checkout pages with a malicious website. Version 8.0.5 fixes the issue.
Metrics
Affected Vendors & Products
References
History
Tue, 10 Dec 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 09 Dec 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks (eg. public wifi, malicious DNS servers) may have all GraphQL request and response headers and bodies fully compromised including authorization tokens. The attack also allows obtaining full access to any signed-in Altair GraphQL Cloud account and replacing payment checkout pages with a malicious website. Version 8.0.5 fixes the issue. | |
Title | Altair GraphQL Client's desktop app does not validate HTTPS certificates | |
Weaknesses | CWE-295 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-12-09T18:55:58.277Z
Updated: 2024-12-10T16:10:09.765Z
Reserved: 2024-11-29T18:02:16.756Z
Link: CVE-2024-54147
Vulnrichment
Updated: 2024-12-10T16:10:04.744Z
NVD
Status : Received
Published: 2024-12-09T19:15:14.513
Modified: 2024-12-09T19:15:14.513
Link: CVE-2024-54147
Redhat
No data.