CVE-2024-24825: 
Python vulnerability analysis and mitigation

DIRAC, a distributed resource framework, was found to contain a critical security vulnerability (CVE-2024-24825) that affects versions 8.0.0 through 8.0.37. The vulnerability was discovered and disclosed in February 2024, allowing any user to obtain tokens that were requested by other users or agents (GitHub Advisory).

The vulnerability stems from the TokenManager service not properly checking permissions on cached tokens. The issue has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N by GitHub, while NVD assigned a score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability could expose sensitive resources to unintended parties by allowing unauthorized users to access tokens that were meant for other users or agents. This could potentially lead to unauthorized access to protected resources and compromise of security boundaries (GitHub Advisory).

The vulnerability has been patched in DIRAC version 8.0.37. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).