CVE-2024-39891

CVE Published	2024-07-02
Related CWE(s)	CWE-203: Observable Discrepancy
Related Vendor(s)	twilio
Related Product(s)	authy, authy_authenticator
Exploitation Reported (CISA KEV)	2024-07-23
CVSS 3 Base Score	5.3 (MEDIUM)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.)

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Black Box Reverse Engineering (CAPEC-189)

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.

References

CVE-2024-39891

Cyber Threat Graph Context

Associated CAPEC Patterns

Black Box Reverse Engineering (CAPEC-189)

References

CVE.org

NIST National Vulnerability Database

CISA Known Exploited Vulnerabilities