Common Weakness Enumeration

CWE-88

Allowed

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Abstraction: Base · Status: Draft

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

550 vulnerabilities reference this CWE, most recent first.

CVE-2024-35307 (GCVE-0-2024-35307)

Vulnerability from cvelistv5 – Published: 2024-06-10 14:33 – Updated: 2024-08-02 03:07
VLAI
Title
Argument Injection Leading to Remote Code Execution in Realtime Graph Extension
Summary
Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
Impacted products
Vendor Product Version
Pandora FMS Pandora FMS Affected: 700 , < 777 (custom)
Create a notification for this product.
pandorafms pandora_fms Affected: 700 , < 777 (custom)
    cpe:2.3:a:pandorafms:pandora_fms:700:*:*:*:*:*:*:*
Create a notification for this product.
Credits
u32i@proton.me
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:pandorafms:pandora_fms:700:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pandora_fms",
            "vendor": "pandorafms",
            "versions": [
              {
                "lessThan": "777",
                "status": "affected",
                "version": "700",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35307",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T13:35:21.466902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T13:39:11.479Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.936Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "all"
          ],
          "product": "Pandora FMS",
          "vendor": "Pandora FMS",
          "versions": [
            {
              "lessThan": "777",
              "status": "affected",
              "version": "700",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "u32i@proton.me"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension,\u0026nbsp;allowing unauthenticated attackers to execute arbitrary code on the server.\u0026nbsp;This issue affects Pandora FMS: from 700 through \u0026lt;777."
            }
          ],
          "value": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension,\u00a0allowing unauthenticated attackers to execute arbitrary code on the server.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-10T14:33:29.127Z",
        "orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
        "shortName": "PandoraFMS"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Fixed v777"
            }
          ],
          "value": "Fixed v777"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
    "assignerShortName": "PandoraFMS",
    "cveId": "CVE-2024-35307",
    "datePublished": "2024-06-10T14:33:29.127Z",
    "dateReserved": "2024-05-16T17:38:35.343Z",
    "dateUpdated": "2024-08-02T03:07:46.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-32884 (GCVE-0-2024-32884)

Vulnerability from cvelistv5 – Published: 2024-04-26 18:04 – Updated: 2024-08-02 02:20
VLAI
Title
gix-transport indirect code execution via malicious username
Summary
gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
Impacted products
Vendor Product Version
Byron gitoxide Affected: < 0.42.0
Affected: < 0.62
Affected: < 0.35
Create a notification for this product.
byron gitoxide Affected: 0 , < 0.35.0 (custom)
Affected: 0 , < 0.62.0 (custom)
Affected: 0 , < 0.42.0 (custom)
    cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "gitoxide",
            "vendor": "byron",
            "versions": [
              {
                "lessThan": "0.35.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "0.62.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "0.42.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32884",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-01T17:14:15.110574Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:52.416Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:20:35.704Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
          },
          {
            "name": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gitoxide",
          "vendor": "Byron",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.42.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.62"
            },
            {
              "status": "affected",
              "version": "\u003c 0.35"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-26T18:04:04.374Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
        },
        {
          "name": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
        }
      ],
      "source": {
        "advisory": "GHSA-98p4-xjmm-8mfh",
        "discovery": "UNKNOWN"
      },
      "title": "gix-transport indirect code execution via malicious username"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32884",
    "datePublished": "2024-04-26T18:04:04.374Z",
    "dateReserved": "2024-04-19T14:07:11.231Z",
    "dateUpdated": "2024-08-02T02:20:35.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-32462 (GCVE-0-2024-32462)

Vulnerability from cvelistv5 – Published: 2024-04-18 18:11 – Updated: 2025-12-16 18:13
VLAI
Title
Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
Summary
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
Impacted products
Vendor Product Version
flatpak flatpak Affected: < 1.10.9
Affected: >= 1.12.0, < 1.12.9
Affected: >= 1.14.0, < 1.14.6
Affected: >= 1.15.0, < 1.15.8
Create a notification for this product.
flatpak flatpak Affected: 1.15.0 , < 1.15.8 (semver)
    cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "flatpak",
            "vendor": "flatpak",
            "versions": [
              {
                "lessThan": "1.15.8",
                "status": "affected",
                "version": "1.15.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32462",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-20T04:00:12.336436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T18:13:22.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:13:39.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
          },
          {
            "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flatpak",
          "vendor": "flatpak",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.12.0, \u003c 1.12.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.14.0, \u003c 1.14.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.15.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\u0027s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T18:07:39.466Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e"
        },
        {
          "name": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNSCFJVMAQK5AF55JBN7OSJP3CREDBD/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IB6VQAF5S2YOBULDHPUKPOEIKONOP5KO/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/18/5"
        }
      ],
      "source": {
        "advisory": "GHSA-phv6-cpc2-2fgj",
        "discovery": "UNKNOWN"
      },
      "title": "Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32462",
    "datePublished": "2024-04-18T18:11:27.680Z",
    "dateReserved": "2024-04-12T19:41:51.164Z",
    "dateUpdated": "2025-12-16T18:13:22.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-24576 (GCVE-0-2024-24576)

Vulnerability from cvelistv5 – Published: 2024-04-09 17:28 – Updated: 2025-11-04 18:29
VLAI
Title
Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows
Summary
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
Impacted products
Vendor Product Version
rust-lang rust Affected: < 1.77.2
Create a notification for this product.
rust-lang rust Affected: 0 , < 1.77.2 (semver)
    cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "rust",
            "vendor": "rust-lang",
            "versions": [
              {
                "lessThan": "1.77.2",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24576",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T18:38:35.986544Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T18:38:58.221Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T18:29:08.712Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh"
          },
          {
            "name": "https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput"
          },
          {
            "name": "https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg"
          },
          {
            "name": "https://doc.rust-lang.org/std/process/struct.Command.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://doc.rust-lang.org/std/process/struct.Command.html"
          },
          {
            "name": "https://doc.rust-lang.org/std/process/struct.Command.html#method.arg",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://doc.rust-lang.org/std/process/struct.Command.html#method.arg"
          },
          {
            "name": "https://doc.rust-lang.org/std/process/struct.Command.html#method.args",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://doc.rust-lang.org/std/process/struct.Command.html#method.args"
          },
          {
            "name": "https://github.com/rust-lang/rust/issues",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rust-lang/rust/issues"
          },
          {
            "name": "https://www.rust-lang.org/policies/security",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.rust-lang.org/policies/security"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/09/16"
          },
          {
            "url": "https://www.kb.cert.org/vuls/id/123335"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rust",
          "vendor": "rust-lang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.77.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected.\n\nThe `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument.\n\nOn Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it\u0027s up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted.\n\nOne exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution.\n\nDue to the complexity of `cmd.exe`, we didn\u0027t identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process.\n\nThe fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library\u0027s escaping logic."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T18:11:50.241Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh"
        },
        {
          "name": "https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput"
        },
        {
          "name": "https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg"
        },
        {
          "name": "https://doc.rust-lang.org/std/process/struct.Command.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://doc.rust-lang.org/std/process/struct.Command.html"
        },
        {
          "name": "https://doc.rust-lang.org/std/process/struct.Command.html#method.arg",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://doc.rust-lang.org/std/process/struct.Command.html#method.arg"
        },
        {
          "name": "https://doc.rust-lang.org/std/process/struct.Command.html#method.args",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://doc.rust-lang.org/std/process/struct.Command.html#method.args"
        },
        {
          "name": "https://github.com/rust-lang/rust/issues",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rust-lang/rust/issues"
        },
        {
          "name": "https://www.rust-lang.org/policies/security",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rust-lang.org/policies/security"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7WRFOIAZXYUPGXGR5UEEW7VTTOD4SZ3/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RPH3PF7DVSS2LVIRLW254VWUPVKJN46P/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N323QAEEUVTJ354BTVQ7UB6LYXUX2BCL/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/09/16"
        }
      ],
      "source": {
        "advisory": "GHSA-q455-m56c-85mh",
        "discovery": "UNKNOWN"
      },
      "title": "Rusts\u0027s `std::process::Command` did not properly escape arguments of batch files on Windows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-24576",
    "datePublished": "2024-04-09T17:28:41.800Z",
    "dateReserved": "2024-01-25T15:09:40.211Z",
    "dateUpdated": "2025-11-04T18:29:08.712Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-22182 (GCVE-0-2024-22182)

Vulnerability from cvelistv5 – Published: 2024-03-01 20:52 – Updated: 2024-08-12 20:25 Unsupported When Assigned
VLAI
Title
Commend WS203VICM Argument Injection
Summary
A remote, unauthenticated attacker may be able to send crafted messages to the web server of the Commend WS203VICM causing the system to restart, interrupting service.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Commend WS203VICM Affected: 0 , ≤ 1.7 (custom)
Create a notification for this product.
commend ws203vicm_firmware Affected: 0 , ≤ 1.7 (custom)
    cpe:2.3:o:commend:ws203vicm_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-02-20 20:48
Credits
Aarón Flecha Menéndez of S21sec reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:35:34.932Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:commend:ws203vicm_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ws203vicm_firmware",
            "vendor": "commend",
            "versions": [
              {
                "lessThanOrEqual": "1.7",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-22182",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-04T19:32:08.452696Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T20:25:02.479Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WS203VICM",
          "vendor": "Commend",
          "versions": [
            {
              "lessThanOrEqual": "1.7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21sec reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2024-02-20T20:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\nA remote, unauthenticated attacker may be able to send crafted messages \nto the web server of the Commend WS203VICM causing the system to \nrestart, interrupting service.\n\n"
            }
          ],
          "value": "A remote, unauthenticated attacker may be able to send crafted messages \nto the web server of the Commend WS203VICM causing the system to \nrestart, interrupting service.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88 Argument Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-01T20:52:59.597Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01"
        },
        {
          "url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\nAlthough this is an end-of-life product, Commend has created new firmware \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://clibrary-online.commend.com/\"\u003eversion WS-CM 2.0\u003c/a\u003e\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;to\n address the first two issues. The new firmware can be loaded via the \nprogram \"IP Station Config\". To install the firmware, follow the \ninstructions below:\u003c/span\u003e\u003col\u003e\n\u003cli\u003eLog in to the Commend web-portal.\u003c/li\u003e\n\u003cli\u003eDownload and extract the \"Terminals Software Package\".\u003c/li\u003e\n\u003cli\u003eIn \"IP Station Config\", select the stations to be updated in the table.\u003c/li\u003e\n\u003cli\u003eGo to: Menu Station \u0026gt; Firmware Download\u003c/li\u003e\n\u003cli\u003eSelect the file \"WS-CM 2.0.geh\" from the folder \"WS-CM\" and click on the button Open.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor additional information, please visit \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://clibrary-online.commend.com/en/cyber-security/security-advisories.html\"\u003eCSA-2024-42 on Commend\u0027s cybersecurity website.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Although this is an end-of-life product, Commend has created new firmware  version WS-CM 2.0 https://clibrary-online.commend.com/ \u00a0\u00a0to\n address the first two issues. The new firmware can be loaded via the \nprogram \"IP Station Config\". To install the firmware, follow the \ninstructions below:\n  *  Log in to the Commend web-portal.\n\n  *  Download and extract the \"Terminals Software Package\".\n\n  *  In \"IP Station Config\", select the stations to be updated in the table.\n\n  *  Go to: Menu Station \u003e Firmware Download\n\n  *  Select the file \"WS-CM 2.0.geh\" from the folder \"WS-CM\" and click on the button Open.\n\n\nFor additional information, please visit  CSA-2024-42 on Commend\u0027s cybersecurity website. https://clibrary-online.commend.com/en/cyber-security/security-advisories.html \n\n\n\n\n"
        }
      ],
      "source": {
        "advisory": "ICSA-24-051-01",
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Commend WS203VICM Argument Injection",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-22182",
    "datePublished": "2024-03-01T20:52:59.597Z",
    "dateReserved": "2024-01-30T22:06:32.541Z",
    "dateUpdated": "2024-08-12T20:25:02.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-20444 (GCVE-0-2024-20444)

Vulnerability from cvelistv5 – Published: 2024-10-02 16:54 – Updated: 2024-10-02 19:45
VLAI
Title
Cisco Nexus Dashboard Fabric Controller REST API Command Injection Vulnerability
Summary
A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC), formerly Cisco Data Center Network Manager (DCNM), could allow an authenticated, remote attacker with network-admin privileges to perform a command injection attack against an affected device. &nbsp; This vulnerability is due to insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted command arguments to a specific REST API endpoint. A successful exploit could allow the attacker to overwrite sensitive files or crash a specific container, which would restart on its own, causing a low-impact denial of service (DoS) condition.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Data Center Network Manager Affected: 11.2(1)
Affected: 7.0(2)
Affected: 10.3(2)IPFM
Affected: 10.1(1)
Affected: 7.2(3)
Affected: 7.2(2)
Affected: 7.2(1)
Affected: 11.0(1)
Affected: 10.4(1)
Affected: 10.2(1)
Affected: 7.2(2a)
Affected: 10.1(2)
Affected: 7.1(1)
Affected: 12.1(1)
Affected: 11.1(1)
Affected: 10.3(1)
Affected: 10.3(1)R(1)
Affected: 7.0(1)
Affected: 10.0(1)
Affected: 7.1(2)
Affected: 11.4(1)
Affected: 10.4(2)
Affected: 11.3(1)
Affected: 11.5(1)
Affected: 11.5(2)
Affected: 11.5(3)
Affected: 12.0.1a
Affected: 11.5(3a)
Affected: 12.0.2d
Affected: 12.0.2f
Affected: 11.5(4)
Affected: 12.1.1
Affected: 12.1.1e
Affected: 12.1.1p
Affected: 12.1.2e
Affected: 12.1.2p
Affected: 12.1.3b
Affected: 12.2.1
Create a notification for this product.
cisco data_center_network_manager Affected: 11.2(1)
Affected: 7.0(2)
Affected: 10.3(2)IPFM
Affected: 10.1(1)
Affected: 7.2(3)
Affected: 7.2(2)
Affected: 7.2(1)
Affected: 11.0(1)
Affected: 10.4(1)
Affected: 10.2(1)
Affected: 7.2(2a)
Affected: 10.1(2)
Affected: 7.1(1)
Affected: 12.1(1)
Affected: 11.1(1)
Affected: 10.3(1)
Affected: 10.3(1)R(1)
Affected: 7.0(1)
Affected: 10.0(1)
Affected: 7.1(2)
Affected: 11.4(1)
Affected: 10.4(2)
Affected: 11.3(1)
Affected: 11.5(1)
Affected: 11.5(2)
Affected: 11.5(3)
Affected: 12.0.1a
Affected: 11.5(3a)
Affected: 12.0.2d
Affected: 12.0.2f
Affected: 11.5(4)
Affected: 12.1.1
Affected: 12.1.1e
Affected: 12.1.1p
Affected: 12.1.2e
Affected: 12.1.2p
Affected: 12.1.3b
Affected: 12.2.1
    cpe:2.3:a:cisco:data_center_network_manager:-:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:cisco:data_center_network_manager:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "data_center_network_manager",
            "vendor": "cisco",
            "versions": [
              {
                "status": "affected",
                "version": "11.2(1)"
              },
              {
                "status": "affected",
                "version": "7.0(2)"
              },
              {
                "status": "affected",
                "version": "10.3(2)IPFM"
              },
              {
                "status": "affected",
                "version": "10.1(1)"
              },
              {
                "status": "affected",
                "version": "7.2(3)"
              },
              {
                "status": "affected",
                "version": "7.2(2)"
              },
              {
                "status": "affected",
                "version": "7.2(1)"
              },
              {
                "status": "affected",
                "version": "11.0(1)"
              },
              {
                "status": "affected",
                "version": "10.4(1)"
              },
              {
                "status": "affected",
                "version": "10.2(1)"
              },
              {
                "status": "affected",
                "version": "7.2(2a)"
              },
              {
                "status": "affected",
                "version": "10.1(2)"
              },
              {
                "status": "affected",
                "version": "7.1(1)"
              },
              {
                "status": "affected",
                "version": "12.1(1)"
              },
              {
                "status": "affected",
                "version": "11.1(1)"
              },
              {
                "status": "affected",
                "version": "10.3(1)"
              },
              {
                "status": "affected",
                "version": "10.3(1)R(1)"
              },
              {
                "status": "affected",
                "version": "7.0(1)"
              },
              {
                "status": "affected",
                "version": "10.0(1)"
              },
              {
                "status": "affected",
                "version": "7.1(2)"
              },
              {
                "status": "affected",
                "version": "11.4(1)"
              },
              {
                "status": "affected",
                "version": "10.4(2)"
              },
              {
                "status": "affected",
                "version": "11.3(1)"
              },
              {
                "status": "affected",
                "version": "11.5(1)"
              },
              {
                "status": "affected",
                "version": "11.5(2)"
              },
              {
                "status": "affected",
                "version": "11.5(3)"
              },
              {
                "status": "affected",
                "version": "12.0.1a"
              },
              {
                "status": "affected",
                "version": "11.5(3a)"
              },
              {
                "status": "affected",
                "version": "12.0.2d"
              },
              {
                "status": "affected",
                "version": "12.0.2f"
              },
              {
                "status": "affected",
                "version": "11.5(4)"
              },
              {
                "status": "affected",
                "version": "12.1.1"
              },
              {
                "status": "affected",
                "version": "12.1.1e"
              },
              {
                "status": "affected",
                "version": "12.1.1p"
              },
              {
                "status": "affected",
                "version": "12.1.2e"
              },
              {
                "status": "affected",
                "version": "12.1.2p"
              },
              {
                "status": "affected",
                "version": "12.1.3b"
              },
              {
                "status": "affected",
                "version": "12.2.1"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-20444",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-02T19:29:46.344080Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-02T19:45:29.694Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco Data Center Network Manager",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "11.2(1)"
            },
            {
              "status": "affected",
              "version": "7.0(2)"
            },
            {
              "status": "affected",
              "version": "10.3(2)IPFM"
            },
            {
              "status": "affected",
              "version": "10.1(1)"
            },
            {
              "status": "affected",
              "version": "7.2(3)"
            },
            {
              "status": "affected",
              "version": "7.2(2)"
            },
            {
              "status": "affected",
              "version": "7.2(1)"
            },
            {
              "status": "affected",
              "version": "11.0(1)"
            },
            {
              "status": "affected",
              "version": "10.4(1)"
            },
            {
              "status": "affected",
              "version": "10.2(1)"
            },
            {
              "status": "affected",
              "version": "7.2(2a)"
            },
            {
              "status": "affected",
              "version": "10.1(2)"
            },
            {
              "status": "affected",
              "version": "7.1(1)"
            },
            {
              "status": "affected",
              "version": "12.1(1)"
            },
            {
              "status": "affected",
              "version": "11.1(1)"
            },
            {
              "status": "affected",
              "version": "10.3(1)"
            },
            {
              "status": "affected",
              "version": "10.3(1)R(1)"
            },
            {
              "status": "affected",
              "version": "7.0(1)"
            },
            {
              "status": "affected",
              "version": "10.0(1)"
            },
            {
              "status": "affected",
              "version": "7.1(2)"
            },
            {
              "status": "affected",
              "version": "11.4(1)"
            },
            {
              "status": "affected",
              "version": "10.4(2)"
            },
            {
              "status": "affected",
              "version": "11.3(1)"
            },
            {
              "status": "affected",
              "version": "11.5(1)"
            },
            {
              "status": "affected",
              "version": "11.5(2)"
            },
            {
              "status": "affected",
              "version": "11.5(3)"
            },
            {
              "status": "affected",
              "version": "12.0.1a"
            },
            {
              "status": "affected",
              "version": "11.5(3a)"
            },
            {
              "status": "affected",
              "version": "12.0.2d"
            },
            {
              "status": "affected",
              "version": "12.0.2f"
            },
            {
              "status": "affected",
              "version": "11.5(4)"
            },
            {
              "status": "affected",
              "version": "12.1.1"
            },
            {
              "status": "affected",
              "version": "12.1.1e"
            },
            {
              "status": "affected",
              "version": "12.1.1p"
            },
            {
              "status": "affected",
              "version": "12.1.2e"
            },
            {
              "status": "affected",
              "version": "12.1.2p"
            },
            {
              "status": "affected",
              "version": "12.1.3b"
            },
            {
              "status": "affected",
              "version": "12.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC), formerly Cisco Data Center Network Manager (DCNM), could allow an authenticated, remote attacker with network-admin privileges to perform a command injection attack against an affected device.\r\n\u0026nbsp;\r\nThis vulnerability is due to insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted command arguments to a specific REST API endpoint. A successful exploit could allow the attacker to overwrite sensitive files or crash a specific container, which would restart on its own, causing a low-impact denial of service (DoS) condition."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-02T16:54:09.855Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-ndfc-raci-T46k3jnN",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-raci-T46k3jnN"
        }
      ],
      "source": {
        "advisory": "cisco-sa-ndfc-raci-T46k3jnN",
        "defects": [
          "CSCwj55173"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Nexus Dashboard Fabric Controller REST API Command Injection Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2024-20444",
    "datePublished": "2024-10-02T16:54:09.855Z",
    "dateReserved": "2023-11-08T15:08:07.677Z",
    "dateUpdated": "2024-10-02T19:45:29.694Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-20287 (GCVE-0-2024-20287)

Vulnerability from cvelistv5 – Published: 2024-01-17 16:58 – Updated: 2025-06-02 15:05
VLAI
Summary
A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device. To exploit this vulnerability, the attacker must have valid administrative credentials for the device.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Business Wireless Access Point Software Affected: 1.0.1.5
Affected: 1.0.0.10
Affected: 1.0.0.9
Affected: 1.1.2.3
Affected: 1.2.0.2
Affected: 1.2.0.3
Affected: 1.2.1.3
Affected: 1.3.0.3
Affected: 1.3.0.4
Affected: 1.3.0.6
Affected: 1.3.0.7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:59:41.357Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "cisco-sa-sb-wap-inject-bHStWgXO",
            "tags": [
              "x_transferred"
            ],
            "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-inject-bHStWgXO"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-20287",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T15:46:56.632251Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-88",
                "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-02T15:05:08.192Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Business Wireless Access Point Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.1.5"
            },
            {
              "status": "affected",
              "version": "1.0.0.10"
            },
            {
              "status": "affected",
              "version": "1.0.0.9"
            },
            {
              "status": "affected",
              "version": "1.1.2.3"
            },
            {
              "status": "affected",
              "version": "1.2.0.2"
            },
            {
              "status": "affected",
              "version": "1.2.0.3"
            },
            {
              "status": "affected",
              "version": "1.2.1.3"
            },
            {
              "status": "affected",
              "version": "1.3.0.3"
            },
            {
              "status": "affected",
              "version": "1.3.0.4"
            },
            {
              "status": "affected",
              "version": "1.3.0.6"
            },
            {
              "status": "affected",
              "version": "1.3.0.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device. To exploit this vulnerability, the attacker must have valid administrative credentials for the device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-02T15:42:45.536Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-sb-wap-inject-bHStWgXO",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-inject-bHStWgXO"
        }
      ],
      "source": {
        "advisory": "cisco-sa-sb-wap-inject-bHStWgXO",
        "defects": [
          "CSCwi22632"
        ],
        "discovery": "EXTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2024-20287",
    "datePublished": "2024-01-17T16:58:01.192Z",
    "dateReserved": "2023-11-08T15:08:07.626Z",
    "dateUpdated": "2025-06-02T15:05:08.192Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-11633 (GCVE-0-2024-11633)

Vulnerability from cvelistv5 – Published: 2024-12-10 18:47 – Updated: 2024-12-14 04:55
VLAI
Summary
Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
Impacted products
Vendor Product Version
Ivanti Connect Secure Unaffected: 22.7R2.4 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-11633",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-14T04:55:15.649Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Connect Secure",
          "vendor": "Ivanti",
          "versions": [
            {
              "status": "unaffected",
              "version": "22.7R2.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eArgument injection in \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIvanti Connect Secure before version 22.7R2.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e4\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e allows a remote authenticated attacker with admin privileges to achie\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eve remote code execution\u003c/span\u003e"
            }
          ],
          "value": "Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-6",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-6 Argument Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-10T18:47:55.575Z",
        "orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
        "shortName": "ivanti"
      },
      "references": [
        {
          "url": "https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
    "assignerShortName": "ivanti",
    "cveId": "CVE-2024-11633",
    "datePublished": "2024-12-10T18:47:55.575Z",
    "dateReserved": "2024-11-22T18:01:02.018Z",
    "dateUpdated": "2024-12-14T04:55:15.649Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-9131 (GCVE-0-2024-9131)

Vulnerability from cvelistv5 – Published: 2025-01-10 21:28 – Updated: 2025-01-13 15:45
VLAI
Title
A user with administrator privileges can perform command injection
Summary
A user with administrator privileges can perform command injection
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Arista Networks Arista Edge Threat Management Affected: 17.1.0 , ≤ 17.1.1 (custom)
Create a notification for this product.
Date Public
2024-10-29 20:20
Credits
Mehmet INCE from PRODAFT.com
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9131",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-13T15:45:46.119591Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-13T15:45:58.848Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Arista Edge Threat Management",
          "vendor": "Arista Networks",
          "versions": [
            {
              "lessThanOrEqual": "17.1.1",
              "status": "affected",
              "version": "17.1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo required configuration.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "No required configuration."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mehmet INCE from PRODAFT.com"
        }
      ],
      "datePublic": "2024-10-29T20:20:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA user with administrator privileges can perform command injection\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "A user with administrator privileges can perform command injection"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-10T21:28:47.417Z",
        "orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
        "shortName": "Arista"
      },
      "references": [
        {
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eThe recommended resolution for all issues documented above is to upgrade to the version indicated below at your earliest convenience.\u003c/div\u003e\u003cul\u003e\u003cli\u003e17.2 Upgrade\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "The recommended resolution for all issues documented above is to upgrade to the version indicated below at your earliest convenience.\n\n  *  17.2 Upgrade"
        }
      ],
      "source": {
        "advisory": "105",
        "defect": [
          "NGFW-14800"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "A user with administrator privileges can perform command injection",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo known mitigation.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "No known mitigation."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
    "assignerShortName": "Arista",
    "cveId": "CVE-2024-9131",
    "datePublished": "2025-01-10T21:28:47.417Z",
    "dateReserved": "2024-09-23T22:00:58.758Z",
    "dateUpdated": "2025-01-13T15:45:58.848Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7573 (GCVE-0-2024-7573)

Vulnerability from cvelistv5 – Published: 2024-08-28 02:05 – Updated: 2026-04-08 17:18
VLAI
Title
Relevanssi Live Ajax Search <= 2.4 - Unauthenticated WP_Query Argument Injection
Summary
The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
Impacted products
Vendor Product Version
comesio Relevanssi Live Ajax Search Affected: 0 , ≤ 2.4 (semver)
Create a notification for this product.
relevanssi relevanssi-live-ajax-search Affected: 0 , ≤ 2.4 (semver)
    cpe:2.3:a:relevanssi:relevanssi-live-ajax-search:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Nicola Scattaglia
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:relevanssi:relevanssi-live-ajax-search:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "relevanssi-live-ajax-search",
            "vendor": "relevanssi",
            "versions": [
              {
                "lessThanOrEqual": "2.4",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7573",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-28T13:44:24.447886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T13:48:45.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Relevanssi Live Ajax Search",
          "vendor": "comesio",
          "versions": [
            {
              "lessThanOrEqual": "2.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nicola Scattaglia"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the \u0027search\u0027 function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:18:36.068Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3135074/relevanssi-live-ajax-search"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-13T00:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2024-08-27T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Relevanssi Live Ajax Search \u003c= 2.4 - Unauthenticated WP_Query Argument Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-7573",
    "datePublished": "2024-08-28T02:05:44.057Z",
    "dateReserved": "2024-08-06T19:44:06.508Z",
    "dateUpdated": "2026-04-08T17:18:36.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Implementation

Strategy: Parameterization

Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.

Mitigation
Architecture and Design

Strategy: Input Validation

Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Mitigation
Implementation
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
  • Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

Mitigation
Implementation

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

CAPEC-137: Parameter Injection

An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.

CAPEC-174: Flash Parameter Injection

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.

CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

CAPEC-460: HTTP Parameter Pollution (HPP)

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

CAPEC-88: OS Command Injection

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.