Home / Vulnerabilities / CVE-2024-39891
MEDIUM SEVERITY
CVE-2024-39891 Twilio · Authy

Twilio Authy Information Disclosure Vulnerability

Technical Severity

CVSS v3.1 Metrics

MEDIUM
5.3 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N
Exploitation Likelihood

EPSS Prediction

29.58 %
Predictive Probability
Percentile Rank
96.5 th

Documented as more likely to be exploited than 96.5% of known CVEs.

Detection Date

Jul 23, 2024

Remediation Due

Aug 13, 2024

CISA Catalog Active

Threat Analysis

Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

External Intelligence

https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS

https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2024-39891