{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T13:29:17.130","vulnerabilities":[{"cve":{"id":"CVE-2024-23639","sourceIdentifier":"security-advisories@github.com","published":"2024-02-09T01:15:09.867","lastModified":"2024-11-21T08:58:03.900","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are \"simple\" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade."},{"lang":"es","value":"Micronaut Framework es un framework Java moderno, de pila completa y basado en JVM, manipulado para crear aplicaciones JVM modulares y fácilmente comprobables con soporte para Java, Kotlin y el lenguaje Groovy. Los endpoints de administración habilitados pero no seguros son susceptibles a ataques de host local. Si bien no son típicos de una aplicación de producción, estos ataques pueden tener un mayor impacto en un entorno de desarrollo donde dichos endpoints pueden activarse sin pensarlo mucho. Un sitio web malicioso o comprometido puede realizar solicitudes HTTP a \"localhost\". Normalmente, dichas solicitudes desencadenarían una verificación previa de CORS que impediría la solicitud; sin embargo, algunas solicitudes son \"simples\" y no requieren una verificación previa. Estos endpoints, si están habilitados y no protegidos, son vulnerables a ser activados. Los entornos de producción normalmente desactivan los endpoints no utilizados y protegen/restringen el acceso a los endpoints necesarios. Una víctima más probable es el desarrollador de su host de desarrollo local, que ha habilitado endpoints sin seguridad para facilitar el desarrollo. Este problema se solucionó en la versión 3.8.3. Se recomienda a los usuarios que actualicen."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.5,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-15"},{"lang":"en","value":"CWE-610"},{"lang":"en","value":"CWE-664"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*","versionEndExcluding":"3.8.3","matchCriteriaId":"9FE06CE0-3CED-4A8E-8B66-3773C15010BC"}]}]}],"references":[{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"]},{"url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}