CVE-2024-42056
Disclosure of CVE-2024-42056.
Certain versions of Self-hosted Retool for Enterprise between 3.18.1 and 3.40.0 insert resource authentication credentials into sent data. This could allow remote authenticated attackers to access resource authentication credentials for users with Use permissions via the /api/resources endpoint.
| Disclosure | Details |
|---|---|
| Vulnerability Type | Insertion of Sensitive Information Into Sent Data. |
| Vendor of Product | Retool. |
| Affected Product Code Base | View affected release versions. |
| Affected Component | Self-hosted Retool organizations on Enterprise plan. |
| Attack Type | Remote. |
| Impact | Information Disclosure. |
| Reference | https://docs.retool.com/releases |
| Discoverer | Anubhav Sharma. This vulnerability was also independently discovered by 6mile |
Affected release versions
| Release | Release versions |
|---|---|
| 3.18 | 3.18.1 to 3.18.23 |
| 3.20 | 3.20.1 to 3.20.18 |
| 3.22 | 3.22.1 to 3.22.21 |
| 3.24 | 3.24.1 to 3.24.22 |
| 3.26 | 3.26.4 to 3.26.14 |
| 3.28 | 3.28.3 to 3.28.15 |
| 3.30 | 3.30.1 to 3.30.15 |
| 3.32 | 3.32.1 to 3.32.12 |
| 3.33 | 3.33.1-stable to 3.33.18-stable |
| 3.36 | 3.36.0-edge to 3.36.1-edge |
| 3.37 | 3.37.0-edge |
| 3.38 | 3.38.0-edge |
| 3.39 | 3.39.0-edge |
| 3.40 | 3.40.0-edge |