← Voltar para CVEs
CVE-2024-39891
MEDIUMCISA KEV5.3
Descricao
In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)
Detalhes CVE
Pontuacao CVSS v3.15.3
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado7/2/2024
Ultima modificacao11/5/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorTwilio
ProdutoAuthy
Nome da vulnerabilidadeTwilio Authy Information Disclosure Vulnerability
Data inclusao KEV2024-07-23
Prazo de remediacao2024-08-13
Uso em ransomwareUnknown
Produtos afetados
twilio:authytwilio:authy_authenticator
Fraquezas (CWE)
CWE-203CWE-203
Referencias
https://cwe.mitre.org/data/definitions/203.html(cve@mitre.org)
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/(cve@mitre.org)
https://www.twilio.com/en-us/changelog(cve@mitre.org)
https://cwe.mitre.org/data/definitions/203.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/(af854a3a-2127-422b-91ae-364da2661108)
https://www.twilio.com/docs/usage/security/reporting-vulnerabilities(af854a3a-2127-422b-91ae-364da2661108)
https://www.twilio.com/en-us/changelog(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39891(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.