CVE-2024-22194

Summary

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in cdo-local-uuid at version 0.4.0, and in case-utils in unpatched versions (matching the pattern 0.x.0) at and since 0.5.0, before 0.15.0. The vulnerability stems from a Python function, cdo_local_uuid.local_uuid(), and its original implementation case_utils.local_uuid().

Affected Software

VendorProductVersion RangeStatus
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.4.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.5.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.6.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.7.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.8.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.9.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.10.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.11.0affected
Cyber-Domain-OntologyCDO-Utility-Local-UUID= 0.12.0affected

Weaknesses

  • CWE-215: CWE-215: Insertion of Sensitive Information Into Debugging Code
  • CWE-337: CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References