CVE-2024-1248
CVE-2024-1248 is a medium-severity vulnerability with a CVSS 3.x base score of 4.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-298.
Key facts
- Severity: Medium (CVSS 3.x base score 4.8)
- EPSS exploit prediction: 0% (11th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-298
- Published:
- Last modified:
Description
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.
Frequently asked questions
- What is CVE-2024-1248?
- The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.
- How severe is CVE-2024-1248?
- CVE-2024-1248 has a CVSS 3.x base score of 4.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability low.
- Is CVE-2024-1248 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-1248?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2024-1248 published?
- CVE-2024-1248 was published on 2026-07-04 and last updated on 2026-07-06.
References
Other CWE-298 vulnerabilities
- CVE-2025-67109 — Critical (CVSS 10.0): Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass…
- CVE-2025-67108 — Critical (CVSS 10.0): eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure…
- CVE-2025-61736 — High (CVSS 7.1): Successful exploitation of this vulnerability could result in the product failing to re-establish communication once…
- CVE-2025-4384 — Medium (CVSS 6.0): The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet…
- CVE-2025-59036 — Medium (CVSS 5.5): Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the…