CVE-2024-5166

Summary

An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.

Affected Software

VendorProductVersion RangeStatus
Google CloudLooker23.18affected
Google CloudLooker23.20affected
Google CloudLooker24.0affected
Google CloudLooker24.2affected
Google CloudLooker24.4affected
Google CloudLooker24.6affected
Google CloudLooker24.8affected
Google CloudLooker24.10affected
Google CloudLooker24.12affected
Google CloudLooker24.14affected
Google CloudLooker24.16affected
Google CloudLooker24.18affected
Google CloudLooker24.20affected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References