Coverity Connect Authentication Bypass Vulnerability in Command Line Tooling

A vulnerability exists in Coverity Connect versions 2024.3.0, 2024.3.1, 2024.3.2, 2024.6.0, 2024.6.1, 2024.9.0, 2024.9.1, 2024.12.0, 2024.12.1, 2025.3.0, 2025.3.1, 2025.6.0, 2025.6.1, 2025.6.2, 2025.6.3, 2025.9.0, 2025.9.1, 2025.9.2, and 2025.12.0. These versions lack proper error handling in the authentication process for command line tools, leading to an authentication bypass. Malicious actors with access to the /token API endpoint who know or can guess a valid username can craft HTTP requests to bypass authentication. Exploitation of this vulnerability allows the attacker to gain all roles and privileges of the affected user’s Coverity Connect account.

Impact

Exploitation of this vulnerability allows unauthorized users to bypass authentication and gain access to all roles and privileges of a valid user in Coverity Connect.

Remediation

Users are advised to upgrade to Coverity versions 2025.12.1, 2025.12.0A, 2025.9.2A, 2025.9.0A, 2025.6.2A, 2025.6.0A, 2025.3.1A, 2025.3.0A, 2024.12.1A, 2024.12.0A, 2024.9.1A, 2024.9.0A, 2024.6.1A (unsupported), 2024.6.0A (unsupported), 2024.3.2A (unsupported), 2024.3.1A (unsupported), or 2024.3.0A (unsupported). For those unable to upgrade immediately, it is recommended to implement access controls to limit exposure to unauthorized users or to block access to the /token endpoint by modifying Coverity Connect’s web.xml file.