CVE-2024-6299
CVE-2024-6299 is a medium-severity vulnerability in Conduit with a CVSS 3.x base score of 4.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-324.
Key facts
- Severity: Medium (CVSS 3.x base score 4.8)
- EPSS exploit prediction: 0% (6th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-47416
- Weakness: CWE-324
- Affected product: Conduit
- Published:
- Last modified:
Description
Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date
Frequently asked questions
- What is CVE-2024-6299?
- Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date
- How severe is CVE-2024-6299?
- CVE-2024-6299 has a CVSS 3.x base score of 4.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2024-6299 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (6th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-6299?
- CVE-2024-6299 affects Conduit. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-6299?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-6299 have an EU (EUVD) identifier?
- Yes. CVE-2024-6299 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-47416.
- When was CVE-2024-6299 published?
- CVE-2024-6299 was published on 2024-06-25 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:conduit:conduit:*:*:*:*:*:*:*:*
More vulnerabilities in Conduit
- CVE-2024-6303 — Critical (CVSS 9.9): Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to…
- CVE-2024-6302 — High (CVSS 8.1): Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to…
- CVE-2024-6301 — Medium (CVSS 5.3): Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any…
- CVE-2024-6300 — Low (CVSS 3.7): Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were…
Other CWE-324 vulnerabilities
- CVE-2024-36031 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on…
- CVE-2025-31123 — High (CVSS 8.7): Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to…
- CVE-2025-2291 — High (CVSS 8.1): Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,…
- CVE-2026-52809 — Medium (CVSS 6.8): Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using…
- CVE-2024-25679 — Medium (CVSS 6.5): In PQUIC before 5bde5bb, retention of unused initial encryption keys allows attackers to disrupt a connection with a…
- CVE-2025-33012 — Medium (CVSS 6.3): IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux…