CVE-2024-31206 - OpenCVE

dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/JstnMcBrd/dectalk-tts/blob/b3e92156cbb699218ac9b9c7d8979abd0e635767/src/index.ts#L18
https://github.com/JstnMcBrd/dectalk-tts/commit/3600d8ac156f27da553ac4ead46d16989a350105
https://github.com/JstnMcBrd/dectalk-tts/issues/3
https://github.com/JstnMcBrd/dectalk-tts/pull/4
https://github.com/JstnMcBrd/dectalk-tts/security/advisories/GHSA-6cf6-8hvr-r68w

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T22:10:29.200Z

Updated: 2024-04-04T22:10:29.200Z

Reserved: 2024-03-29T14:16:31.900Z

Link: CVE-2024-31206

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-04T23:15:15.897

Modified: 2024-04-05T12:40:52.763

Link: CVE-2024-31206

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-31206", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.900Z", "datePublished": "2024-04-04T22:10:29.200Z", "dateUpdated": "2024-04-04T22:10:29.200Z"}, "containers": {"cna": {"title": "Use of Unencrypted HTTP Request in dectalk-tts", "problemTypes": [{"descriptions": [{"cweId": "CWE-300", "lang": "en", "description": "CWE-300: Channel Accessible by Non-Endpoint", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-319", "lang": "en", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-598", "lang": "en", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/JstnMcBrd/dectalk-tts/security/advisories/GHSA-6cf6-8hvr-r68w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/JstnMcBrd/dectalk-tts/security/advisories/GHSA-6cf6-8hvr-r68w"}, {"name": "https://github.com/JstnMcBrd/dectalk-tts/issues/3", "tags": ["x_refsource_MISC"], "url": "https://github.com/JstnMcBrd/dectalk-tts/issues/3"}, {"name": "https://github.com/JstnMcBrd/dectalk-tts/pull/4", "tags": ["x_refsource_MISC"], "url": "https://github.com/JstnMcBrd/dectalk-tts/pull/4"}, {"name": "https://github.com/JstnMcBrd/dectalk-tts/commit/3600d8ac156f27da553ac4ead46d16989a350105", "tags": ["x_refsource_MISC"], "url": "https://github.com/JstnMcBrd/dectalk-tts/commit/3600d8ac156f27da553ac4ead46d16989a350105"}, {"name": "https://github.com/JstnMcBrd/dectalk-tts/blob/b3e92156cbb699218ac9b9c7d8979abd0e635767/src/index.ts#L18", "tags": ["x_refsource_MISC"], "url": "https://github.com/JstnMcBrd/dectalk-tts/blob/b3e92156cbb699218ac9b9c7d8979abd0e635767/src/index.ts#L18"}], "affected": [{"vendor": "JstnMcBrd", "product": "dectalk-tts", "versions": [{"version": "= 1.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T22:10:29.200Z"}, "descriptions": [{"lang": "en", "value": "dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it."}], "source": {"advisory": "GHSA-6cf6-8hvr-r68w", "discovery": "UNKNOWN"}}}}

{"descriptions": [{"lang": "en", "value": "dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it."}, {"lang": "es", "value": "dectalk-tts es un paquete de Nodo para interactuar con la API web aeiou Dectalk. En `dectalk-tts@1.0.0`, las solicitudes de red a la API de terceros se env\u00edan a trav\u00e9s de HTTP, que no est\u00e1 cifrado. Los atacantes pueden interceptar y modificar f\u00e1cilmente el tr\u00e1fico no cifrado. Cualquiera que utilice el paquete podr\u00eda ser v\u00edctima de un ataque de intermediario (MITM). La solicitud de red se actualiz\u00f3 a HTTPS en la versi\u00f3n \"1.0.1\". No existen workarounds, pero algunas precauciones incluyen no enviar informaci\u00f3n confidencial y verificar cuidadosamente la respuesta de la API antes de guardarla."}], "id": "CVE-2024-31206", "lastModified": "2024-04-05T12:40:52.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-04T23:15:15.897", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/JstnMcBrd/dectalk-tts/blob/b3e92156cbb699218ac9b9c7d8979abd0e635767/src/index.ts#L18"}, {"source": "security-advisories@github.com", "url": "https://github.com/JstnMcBrd/dectalk-tts/commit/3600d8ac156f27da553ac4ead46d16989a350105"}, {"source": "security-advisories@github.com", "url": "https://github.com/JstnMcBrd/dectalk-tts/issues/3"}, {"source": "security-advisories@github.com", "url": "https://github.com/JstnMcBrd/dectalk-tts/pull/4"}, {"source": "security-advisories@github.com", "url": "https://github.com/JstnMcBrd/dectalk-tts/security/advisories/GHSA-6cf6-8hvr-r68w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-300"}, {"lang": "en", "value": "CWE-319"}, {"lang": "en", "value": "CWE-598"}], "source": "security-advisories@github.com", "type": "Secondary"}]}