CVE-2024-5166

An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions	Product
https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:google:looker:23.18:::::::*
	cpe:2.3:a:google:looker:23.20:::::::*
	cpe:2.3:a:google:looker:24.0:::::::*
	cpe:2.3:a:google:looker:24.2:::::::*
	cpe:2.3:a:google:looker:24.4:::::::*
	cpe:2.3:a:google:looker:24.6:::::::*
	cpe:2.3:a:google:looker:24.8:::::::*
	cpe:2.3:a:google:looker:24.10:::::::*
	cpe:2.3:a:google:looker:24.12:::::::*
	cpe:2.3:a:google:looker:24.14:::::::*
	cpe:2.3:a:google:looker:24.16:::::::*
	cpe:2.3:a:google:looker:24.18:::::::*
	cpe:2.3:a:google:looker:24.20:::::::*

History

No history.

Information

Published : 2024-05-22 17:16

Updated : 2025-07-22 20:49

NVD link : CVE-2024-5166

Mitre link : CVE-2024-5166

CVE.ORG link : CVE-2024-5166

JSON object : View

Products Affected

google

looker

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-5166", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-05-22T17:16:15.957", "references": [{"url": "https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-639"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model."}, {"lang": "es", "value": "Una referencia de objeto directa insegura en Looker de Google Cloud permiti\u00f3 la exposici\u00f3n de metadatos entre usuarios autenticados de Looker que compart\u00edan el mismo modelo LookML."}], "lastModified": "2025-07-22T20:49:16.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:looker:23.18:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35DADF6C-5886-4581-99BF-45B69799A2DF"}, {"criteria": "cpe:2.3:a:google:looker:23.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7503C5F0-9117-4FA7-9E40-EA1330DD36DA"}, {"criteria": "cpe:2.3:a:google:looker:24.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "748F483C-28A7-4D23-AC1B-504599DF4115"}, {"criteria": "cpe:2.3:a:google:looker:24.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0669F449-7F7A-47C5-B92B-645B0899D25C"}, {"criteria": "cpe:2.3:a:google:looker:24.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98E862C4-3B4C-43B2-84BB-98AC9BD6F671"}, {"criteria": "cpe:2.3:a:google:looker:24.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "976DB9CD-0A33-4072-B314-0BFE3F4D9A82"}, {"criteria": "cpe:2.3:a:google:looker:24.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4428B311-99F8-4D48-9631-E9383B4468B0"}, {"criteria": "cpe:2.3:a:google:looker:24.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3413C68-2A24-405D-B594-B1575C0B0CE3"}, {"criteria": "cpe:2.3:a:google:looker:24.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81907A42-E3EB-41AD-ADDC-1208BED1DE91"}, {"criteria": "cpe:2.3:a:google:looker:24.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01E5496C-F3CF-424B-9503-3ABC66CC2AE5"}, {"criteria": "cpe:2.3:a:google:looker:24.16:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6EB2EFA-B666-4FD2-8439-343419388E7B"}, {"criteria": "cpe:2.3:a:google:looker:24.18:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03EA95CD-99BC-45A5-A2B2-A5A713EE8634"}, {"criteria": "cpe:2.3:a:google:looker:24.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEE5626A-D8DD-49F7-9361-31EE071BCDF0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}