Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-21491
Modified
More InfoOfficial Page
Source-report@snyk.io
View Known Exploited Vulnerability (KEV) details
Published At-13 Feb, 2024 | 05:15
Updated At-09 May, 2025 | 19:15

Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CPE Matches
svix
svix
>>svix-webhooks>>Versions before 1.17.0(exclusive)
cpe:2.3:a:svix:svix-webhooks:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-288Secondaryreport@snyk.io
CWE-347Primarynvd@nist.gov
CWE-288Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-288
Type: Secondary
Source: report@snyk.io
CWE ID: CWE-347
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-288
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6report@snyk.io
Patch
https://github.com/svix/svix-webhooks/pull/1190report@snyk.io
Patch
https://rustsec.org/advisories/RUSTSEC-2024-0010.htmlreport@snyk.io
Third Party Advisory
https://security.snyk.io/vuln/SNYK-RUST-SVIX-6230729report@snyk.io
Third Party Advisory
https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/svix/svix-webhooks/pull/1190af854a3a-2127-422b-91ae-364da2661108
Patch
https://rustsec.org/advisories/RUSTSEC-2024-0010.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://security.snyk.io/vuln/SNYK-RUST-SVIX-6230729af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
Source: report@snyk.io
Resource:
Patch
Hyperlink: https://github.com/svix/svix-webhooks/pull/1190
Source: report@snyk.io
Resource:
Patch
Hyperlink: https://rustsec.org/advisories/RUSTSEC-2024-0010.html
Source: report@snyk.io
Resource:
Third Party Advisory
Hyperlink: https://security.snyk.io/vuln/SNYK-RUST-SVIX-6230729
Source: report@snyk.io
Resource:
Third Party Advisory
Hyperlink: https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://github.com/svix/svix-webhooks/pull/1190
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://rustsec.org/advisories/RUSTSEC-2024-0010.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://security.snyk.io/vuln/SNYK-RUST-SVIX-6230729
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Change History
0Changes found
Details not found