LiveActive security incident?Get immediate response
CVE Record

CVE-2024-8644: Cleartext Storage of Sensitive Information in Oceanic Software's ValeApp

Cleartext Storage of Sensitive Information in a Cookie vulnerability in Oceanic Software ValeApp allows Protocol Manipulation, : JSON Hijacking (aka JavaScript Hijacking). This issue affects ValeApp: before v2.0.0.

CriticalCVSS 9.3Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

ValeApp before v2.0.0 stores sensitive data in cookies in cleartext. If exposed, that can let attackers without credentials or user interaction manipulate protocol behavior and conduct JSON hijacking, potentially affecting confidentiality, integrity, and availability. The public record rates this critical, but the supplied sources do not show active exploitation.

Executive priority

Treat this as urgent for any confirmed ValeApp deployment before v2.0.0, especially if internet-facing. The score is critical and unauthenticated network access is indicated, but urgency should be scoped to verified ValeApp exposure.

Technical view

CVE-2024-8644 is a CWE-315 cleartext storage issue in an Oceanic Software ValeApp cookie. CVSS v4.0 is 9.3: network exploitable, low complexity, no privileges, and no user interaction, with high vulnerable-system impact. The record names Protocol Manipulation and JSON Hijacking, but provides limited implementation detail.

Likely exposure

Exposure appears limited to organizations running Oceanic Software ValeApp before v2.0.0. The affected-version data is sparse, listing versions as “0” with defaultStatus “unaffected,” so validate actual ValeApp versions against vendor or government advisory data.

Exploitation context

The CVE is not listed as KEV in the supplied bundle, and no cited source confirms active exploitation. The CVSS vector indicates a remotely reachable, unauthenticated attack path, but the sources do not include exploit mechanics or proof-of-concept details.

Researcher notes

Evidence is thin beyond the CVE record and Turkish government advisory references. Do not assume broader Oceanic Software products are affected. Focus research on confirming cookie contents, version boundaries, deployment exposure, and whether vendor documentation names a specific fixed release path.

Mitigation direction

  • Identify all Oceanic Software ValeApp deployments and versions.
  • Prioritize upgrade or vendor guidance for versions before v2.0.0.
  • Review cookie handling for cleartext sensitive values.
  • Rotate exposed secrets if sensitive cookie data may have leaked.
  • Monitor vendor and government advisories for updated remediation guidance.

Validation and detection

  • Confirm whether ValeApp is present in production or internet-facing environments.
  • Verify deployed ValeApp versions are v2.0.0 or later.
  • Inspect application cookies for sensitive values stored in cleartext.
  • Review logs for suspicious unauthenticated interaction with ValeApp endpoints.
  • Document findings and remediation status in the vulnerability tracker.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-315: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-8644 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.3 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.3CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:LTR-CERT

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2024-8644Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Oceanic SoftwareValeApp0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-315 · source CWE mapping

Cleartext Storage of Sensitive Information in a Cookie

Cleartext Storage of Sensitive Information in a Cookie represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.