CVE-2024-10082: 
Python vulnerability analysis and mitigation

CodeChecker, an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy, contains a critical authentication vulnerability up to version 6.24.1. The vulnerability stems from an authentication method confusion that allows unauthorized access to the built-in root user account from external services. The root user account is generated with weak security measures and cannot be disabled while having universal access privileges (GitHub Advisory).

The vulnerability involves an auto-generated super-user account that cannot be disabled and is unconditionally assigned superuser permissions. The critical aspect is that any user logging in through any service with the root user's username automatically receives superuser permissions on the CodeChecker instance. The root username can be found in the root.user file within the CodeChecker configuration directory. The vulnerability has been assigned a CVSS v3.1 score of 8.7 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability is tracked under multiple CWE categories: CWE-305 (Authentication Bypass), CWE-330 (Use of Insufficiently Random Values), and CWE-842 (Placement of User into Incorrect Group) (GitHub Advisory).

The vulnerability enables an attacker with the ability to create an account on an enabled external authentication service to gain unauthorized access as the root user. This grants them complete control over everything manageable through the web interface, provided they can obtain the root user's username. The impact is particularly severe due to the universal access privileges associated with the root account (GitHub Advisory).

The vulnerability has been patched in CodeChecker version 6.24.2. Organizations using affected versions (6.24.1 and earlier) should upgrade to the patched version immediately (GitHub Advisory).