Unauthorized content alteration bug found in NSA platform

The U.S. National Security Agency's open-source SkillTree training platform on GitHub has been impacted by a medium severity cross-site request forgery vulnerability, tracked as CVE-2024-39326, which could be leveraged to facilitate unauthorized modifications of training content, SiliconAngle reports.

Attackers could exploit the flaw, which stemmed from inadequate CSRF protections primarily in SkillTree endpoints for state-changing operations, to spread misinformation and prompt training disruptions, a Contrast Security analysis showed. Even though NSA maintainers have already addressed the issue with a new SkillTree version with enhanced CSRF defenses, such a vulnerability emphasizes open-source projects' security risks. Moreover, the NSA should not be condemned for the security issue, according to Contrast founder and Chief Technology Officer Jeff Williams. "Healthy security means that you will find vulnerabilities and fix them. This isn't the story of a mistake. It's the story of doing it right — by using great tools and fixing issues quickly," said Williams.