CVE-2024-45340 in Google
Summary
by MITRE • 01/28/2025
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/02/2025
The vulnerability identified as CVE-2024-45340 represents a critical authorization flaw within the GOAUTH feature implementation that fundamentally compromises credential security through improper domain segmentation. This issue manifests when malicious servers can exploit the lack of domain-based credential isolation to access authentication materials they should not possess, creating a significant attack surface that undermines the security posture of affected systems. The flaw specifically targets the credential management mechanism that should enforce domain-specific boundaries to prevent unauthorized cross-domain access to stored authentication tokens and credentials.
The technical root cause of this vulnerability stems from inadequate implementation of domain-based access controls within the credential storage and retrieval process. When users store credentials in their .netrc file, the system should enforce strict domain boundaries to ensure that credentials are only accessible to requests originating from the same domain or authorized domains. However, the current implementation fails to properly validate or enforce these domain restrictions, allowing any server that can establish a connection to potentially access all credentials stored in the user's credential store regardless of domain context. This represents a direct violation of the principle of least privilege and proper access control enforcement.
The operational impact of this vulnerability extends beyond simple credential theft to encompass potential lateral movement and escalation within compromised environments. Attackers can leverage this flaw to access credentials for multiple domains or services from a single malicious server, effectively bypassing the intended security boundaries that should isolate different authentication contexts. This particularly affects scenarios where users maintain multiple domain-specific credentials in their .netrc file, as the vulnerability allows for universal access to all stored credentials rather than restricting access to domain-appropriate resources. The default behavior of affecting only .netrc stored credentials does not mitigate the severity of the issue, as these files often contain sensitive authentication information for various services and systems.
Mitigation strategies for this vulnerability should prioritize immediate implementation of proper domain segmentation controls within the GOAUTH feature. Security practitioners must ensure that all credential access requests undergo strict domain validation to prevent unauthorized cross-domain credential access. The fix should enforce domain-specific boundaries that align with established security frameworks and principles, particularly those addressing credential management and access control as outlined in relevant cybersecurity standards. Organizations should also conduct comprehensive audits of credential storage practices and implement monitoring solutions to detect unauthorized credential access attempts. This vulnerability demonstrates the critical importance of proper access control implementation and aligns with common attack patterns documented in frameworks such as the attack tactics and techniques catalog, where unauthorized access to credentials represents a fundamental initial compromise vector that can lead to broader system infiltration and data breaches.