Is CVE-2022-24706 exploitable?

Yes — CVE-2022-24706 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2022-24706 a false positive?

No practitioners have marked CVE-2022-24706 a false positive so far (2 verdicts).

How do I remediate CVE-2022-24706?

See the authoritative references (NVD, vendor advisory) and community field notes on this page for remediation guidance.

CVE-2022-24706

Insecure Default Initialization — is CVE-2022-24706real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

Critical · CVSS 9.8EPSS 92.3%CISA KEVCWE-1188 · Insecure Default Initialization

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

References

NVD MITRE CVE.org CISA KEV

Published Apr 26, 2022

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2022-24706/badge.svg)](https://www.truepositive.app/cve/CVE-2022-24706)

HTML

<a href="https://www.truepositive.app/cve/CVE-2022-24706"><img src="https://www.truepositive.app/cve/CVE-2022-24706/badge.svg" alt="TruePositive verdict for CVE-2022-24706"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

2 verdicts

Not a real issue

to add your verdict.

Community real-world severity: Critical (Critical 2) — CVSS base score 9.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

No notes yet — be the first to share what you saw or a fix that worked.

Same weakness — CWE-1188 · Insecure Default Initialization.

CVE-2023-27524CVSS 8.9KEVEPSS 97%
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

CVE-2022-24706

Community ground truth

Field notes & remediation

Related CVEs