CVE-2024-50573 and CVE-2024-49580

Floofi is confirming that it has acknowledged the following vulnerabilities:

• CVE-2024-50573, affecting JetBrains Hub ("Improper access control allowed users to generate permanent tokens for unauthorized services"); and

• CVE-2024-49580, affecting Ktor ("Improper caching in HttpCache Plugin could lead to response information disclosure")

and confirms that it has minimal or no impact on Floofi's software and infrastructure.

The vulnerability with JetBrains Hub does affect id.floo.fi, but its impact is very minimal and only – at worst – increases attack surface on services connected to a Floofi ID. This means an update is not immediately required but will still be deployed at a later time.

The vulnerability with Ktor does not impact any of the features or modules that the Floofi Voice Generator backend is using.

We would like to thank you for your continued trust.

Source: JetBrains Security Bulletin, October 2024. Floofi Systems shall not be held responsible for any errors present within this information, including any potential damage caused to information systems due to an error in this information.