Common Weakness Enumeration

CWE-95

Allowed

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

262 vulnerabilities reference this CWE, most recent first.

CVE-2024-45846 (GCVE-0-2024-45846)

Vulnerability from cvelistv5 – Published: 2024-09-12 12:56 – Updated: 2024-09-12 14:39
VLAI
Summary
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
Impacted products
Vendor Product Version
mindsdb mindsdb Affected: 23.10.3.0 , < 24.7.4.1 (semver)
Create a notification for this product.
mindsdb mindsdb Affected: 23.10.3.0 , < 24.7.4.1 (semver)
    cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "mindsdb",
            "vendor": "mindsdb",
            "versions": [
              {
                "lessThan": "24.7.4.1",
                "status": "affected",
                "version": "23.10.3.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45846",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-12T14:38:31.814512Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T14:39:09.882Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "mindsdb",
          "repo": "https://github.com/mindsdb/mindsdb",
          "vendor": "mindsdb",
          "versions": [
            {
              "lessThan": "24.7.4.1",
              "status": "affected",
              "version": "23.10.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted \u2018SELECT WHERE\u2019 clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server."
            }
          ],
          "value": "An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted \u2018SELECT WHERE\u2019 clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-35",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-35 Leverage Executable Code in Non-Executable Files"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-12T12:56:48.362Z",
        "orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
        "shortName": "HiddenLayer"
      },
      "references": [
        {
          "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
    "assignerShortName": "HiddenLayer",
    "cveId": "CVE-2024-45846",
    "datePublished": "2024-09-12T12:56:48.362Z",
    "dateReserved": "2024-09-10T15:36:52.125Z",
    "dateUpdated": "2024-09-12T14:39:09.882Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-43404 (GCVE-0-2024-43404)

Vulnerability from cvelistv5 – Published: 2024-08-20 14:55 – Updated: 2024-08-20 20:29
VLAI
Title
Remote Code Execution Vulnerability in MEGABOT
Summary
MEGABOT is a fully customized Discord bot for learning and fun. The `/math` command and functionality of MEGABOT versions < 1.5.0 contains a remote code execution vulnerability due to a Python `eval()`. The vulnerability allows an attacker to inject Python code into the `expression` parameter when using `/math` in any Discord channel. This vulnerability impacts any discord guild utilizing MEGABOT. This vulnerability was fixed in release version 1.5.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
Impacted products
Vendor Product Version
NicPWNs MEGABOT Affected: < 1.5.0
Create a notification for this product.
megacord megabot Affected: 0 , < 1.5.0 (custom)
    cpe:2.3:a:megacord:megabot:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:megacord:megabot:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "megabot",
            "vendor": "megacord",
            "versions": [
              {
                "lessThan": "1.5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43404",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-20T20:07:50.076252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-20T20:29:22.818Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MEGABOT",
          "vendor": "NicPWNs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MEGABOT is a fully customized Discord bot for learning and fun. The `/math` command and functionality of MEGABOT versions \u003c 1.5.0 contains a remote code execution vulnerability due to a Python `eval()`. The vulnerability allows an attacker to inject Python code into the `expression` parameter when using `/math` in any Discord channel. This vulnerability impacts any discord guild utilizing MEGABOT. This vulnerability was fixed in  release version 1.5.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-20T14:55:12.928Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NicPWNs/MEGABOT/security/advisories/GHSA-vhxp-4hwq-w3p2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NicPWNs/MEGABOT/security/advisories/GHSA-vhxp-4hwq-w3p2"
        },
        {
          "name": "https://github.com/NicPWNs/MEGABOT/issues/137",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NicPWNs/MEGABOT/issues/137"
        },
        {
          "name": "https://github.com/NicPWNs/MEGABOT/pull/138",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NicPWNs/MEGABOT/pull/138"
        },
        {
          "name": "https://github.com/NicPWNs/MEGABOT/commit/71e79e5581ea36313700385b112d863053fb7ed6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NicPWNs/MEGABOT/commit/71e79e5581ea36313700385b112d863053fb7ed6"
        },
        {
          "name": "https://github.com/NicPWNs/MEGABOT/releases/tag/v1.5.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NicPWNs/MEGABOT/releases/tag/v1.5.0"
        }
      ],
      "source": {
        "advisory": "GHSA-vhxp-4hwq-w3p2",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution Vulnerability in MEGABOT"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43404",
    "datePublished": "2024-08-20T14:55:12.928Z",
    "dateReserved": "2024-08-12T18:02:04.966Z",
    "dateUpdated": "2024-08-20T20:29:22.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-41921 (GCVE-0-2024-41921)

Vulnerability from cvelistv5 – Published: 2025-07-17 19:13 – Updated: 2025-07-18 08:05
VLAI
Title
Unsafe use of eval() method in rostopic echo tool
Summary
A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Open Source Robotics Foundation Robot Operating System (ROS) Affected: Noetic Ninjemys
Affected: Melodic Morenia
Affected: Kinetic Kame
Affected: Indigo Igloo
Create a notification for this product.
Credits
Florencia Cabral Berenfus, Ubuntu Robotics Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41921",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T20:37:06.242493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-17T20:37:17.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "rostopic"
          ],
          "packageName": "rostopic",
          "platforms": [
            "Linux",
            "Windows",
            "MacOS"
          ],
          "product": "Robot Operating System (ROS)",
          "repo": "https://github.com/ros/ros_comm",
          "vendor": "Open Source Robotics Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Noetic Ninjemys"
            },
            {
              "status": "affected",
              "version": "Melodic Morenia"
            },
            {
              "status": "affected",
              "version": "Kinetic Kame"
            },
            {
              "status": "affected",
              "version": "Indigo Igloo"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Florencia Cabral Berenfus, Ubuntu Robotics Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A code injection vulnerability has been discovered in the Robot Operating System (ROS) \u0027rostopic\u0027 command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the \u0027echo\u0027 verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code."
            }
          ],
          "value": "A code injection vulnerability has been discovered in the Robot Operating System (ROS) \u0027rostopic\u0027 command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the \u0027echo\u0027 verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T08:05:08.288Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.ros.org/blog/noetic-eol/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "All ROS (1) versions are EOL, upgrade to a ROS 2 version."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe use of eval() method in rostopic echo tool"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2024-41921",
    "datePublished": "2025-07-17T19:13:34.025Z",
    "dateReserved": "2024-08-08T14:41:22.680Z",
    "dateUpdated": "2025-07-18T08:05:08.288Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-41148 (GCVE-0-2024-41148)

Vulnerability from cvelistv5 – Published: 2025-07-17 19:12 – Updated: 2025-07-18 08:04
VLAI
Title
Unsafe use of eval() method in rostopic hz tool
Summary
A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'hz' verb, which reports the publishing rate of a topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Open Source Robotics Foundation Robot Operating System (ROS) Affected: Noetic Ninjemys
Affected: Melodic Morenia
Affected: Kinetic Kame
Affected: Indigo Igloo
Create a notification for this product.
Credits
Florencia Cabral Berenfus, Ubuntu Robotics Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T20:36:47.021797Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-17T20:36:53.477Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "rostopic"
          ],
          "packageName": "rostopic",
          "platforms": [
            "Linux",
            "Windows",
            "MacOS"
          ],
          "product": "Robot Operating System (ROS)",
          "repo": "https://github.com/ros/ros_comm",
          "vendor": "Open Source Robotics Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Noetic Ninjemys"
            },
            {
              "status": "affected",
              "version": "Melodic Morenia"
            },
            {
              "status": "affected",
              "version": "Kinetic Kame"
            },
            {
              "status": "affected",
              "version": "Indigo Igloo"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Florencia Cabral Berenfus, Ubuntu Robotics Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A code injection vulnerability has been discovered in the Robot Operating System (ROS) \u0027rostopic\u0027 command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the \u0027hz\u0027 verb, which reports the publishing rate of a topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code."
            }
          ],
          "value": "A code injection vulnerability has been discovered in the Robot Operating System (ROS) \u0027rostopic\u0027 command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the \u0027hz\u0027 verb, which reports the publishing rate of a topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T08:04:55.109Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.ros.org/blog/noetic-eol/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "All ROS (1) versions are EOL, upgrade to a ROS 2 version."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe use of eval() method in rostopic hz tool"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2024-41148",
    "datePublished": "2025-07-17T19:12:54.440Z",
    "dateReserved": "2024-08-01T12:00:12.200Z",
    "dateUpdated": "2025-07-18T08:04:55.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-39835 (GCVE-0-2024-39835)

Vulnerability from cvelistv5 – Published: 2025-07-17 19:12 – Updated: 2025-07-18 08:04
VLAI
Title
Unsafe use of eval() method in roslaunch tool
Summary
A code injection vulnerability has been identified in the Robot Operating System (ROS) 'roslaunch' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Open Source Robotics Foundation Robot Operating System (ROS) Affected: Noetic Ninjemys
Affected: Melodic Morenia
Affected: Kinetic Kame
Affected: Indigo Igloo
Create a notification for this product.
Credits
Florencia Cabral Berenfus, Ubuntu Robotics Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39835",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T20:36:20.278839Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-17T20:36:29.087Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "roslaunch"
          ],
          "packageName": "roslaunch",
          "platforms": [
            "Linux",
            "Windows",
            "MacOS"
          ],
          "product": "Robot Operating System (ROS)",
          "repo": "https://github.com/ros/ros_comm",
          "vendor": "Open Source Robotics Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Noetic Ninjemys"
            },
            {
              "status": "affected",
              "version": "Melodic Morenia"
            },
            {
              "status": "affected",
              "version": "Kinetic Kame"
            },
            {
              "status": "affected",
              "version": "Indigo Igloo"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Florencia Cabral Berenfus, Ubuntu Robotics Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A code injection vulnerability has been identified in the Robot Operating System (ROS) \u0027roslaunch\u0027 command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code."
            }
          ],
          "value": "A code injection vulnerability has been identified in the Robot Operating System (ROS) \u0027roslaunch\u0027 command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T08:04:28.875Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.ros.org/blog/noetic-eol/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "All ROS (1) versions are EOL, upgrade to a ROS 2 version."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe use of eval() method in roslaunch tool"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2024-39835",
    "datePublished": "2025-07-17T19:12:08.177Z",
    "dateReserved": "2024-08-08T14:41:22.665Z",
    "dateUpdated": "2025-07-18T08:04:28.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-39289 (GCVE-0-2024-39289)

Vulnerability from cvelistv5 – Published: 2025-07-17 19:11 – Updated: 2025-07-18 08:04
VLAI
Title
Unsafe use of eval() method in rosparam tool
Summary
A code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Open Source Robotics Foundation Robot Operating System (ROS) Affected: Noetic Ninjemys
Affected: Melodic Morenia
Affected: Kinetic Kame
Affected: Indigo Igloo
Create a notification for this product.
Credits
Florencia Cabral Berenfus, Ubuntu Robotics Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39289",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T20:35:48.704499Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-17T20:35:59.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "rosparam"
          ],
          "packageName": "rosparam",
          "platforms": [
            "Linux",
            "Windows",
            "MacOS"
          ],
          "product": "Robot Operating System (ROS)",
          "repo": "https://github.com/ros/ros_comm",
          "vendor": "Open Source Robotics Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Noetic Ninjemys"
            },
            {
              "status": "affected",
              "version": "Melodic Morenia"
            },
            {
              "status": "affected",
              "version": "Kinetic Kame"
            },
            {
              "status": "affected",
              "version": "Indigo Igloo"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Florencia Cabral Berenfus, Ubuntu Robotics Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A code execution vulnerability has been discovered in the Robot Operating System (ROS) \u0027rosparam\u0027 tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code."
            }
          ],
          "value": "A code execution vulnerability has been discovered in the Robot Operating System (ROS) \u0027rosparam\u0027 tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T08:04:04.631Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.ros.org/blog/noetic-eol/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "All ROS (1) versions are EOL, upgrade to a ROS 2 version."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe use of eval() method in rosparam tool"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2024-39289",
    "datePublished": "2025-07-17T19:11:07.080Z",
    "dateReserved": "2024-08-01T12:00:12.191Z",
    "dateUpdated": "2025-07-18T08:04:04.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-37901 (GCVE-0-2024-37901)

Vulnerability from cvelistv5 – Published: 2024-07-31 15:19 – Updated: 2024-08-13 13:37
VLAI
Title
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-862 - Missing Authorization
Assigner
Impacted products
Vendor Product Version
xwiki xwiki-platform Affected: >= 15.6-rc-1, < 15.10.2
Affected: >= 15.0-rc-1, < 15.5.5
Affected: >= 9.2-rc-1, < 14.10.21
Create a notification for this product.
xwiki xwiki Affected: 15.6-rc-1 , < 15.10.2 (custom)
Affected: 15.0-rc-1 , < 15.5.5 (custom)
Affected: 9.2-rc-1 , < 14.10.21 (custom)
    cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "xwiki",
            "vendor": "xwiki",
            "versions": [
              {
                "lessThan": "15.10.2",
                "status": "affected",
                "version": "15.6-rc-1",
                "versionType": "custom"
              },
              {
                "lessThan": "15.5.5",
                "status": "affected",
                "version": "15.0-rc-1",
                "versionType": "custom"
              },
              {
                "lessThan": "14.10.21",
                "status": "affected",
                "version": "9.2-rc-1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37901",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-06T19:00:10.576097Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T13:37:05.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.6-rc-1, \u003c 15.10.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 15.0-rc-1, \u003c 15.5.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.2-rc-1, \u003c 14.10.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-31T15:19:36.588Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-21473",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-21473"
        }
      ],
      "source": {
        "advisory": "GHSA-h63h-5c77-77p5",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-37901",
    "datePublished": "2024-07-31T15:19:36.588Z",
    "dateReserved": "2024-06-10T19:54:41.362Z",
    "dateUpdated": "2024-08-13T13:37:05.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-36404 (GCVE-0-2024-36404)

Vulnerability from cvelistv5 – Published: 2024-07-02 13:39 – Updated: 2024-08-02 03:37
VLAI
Title
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
Summary
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
Impacted products
Vendor Product Version
geotools geotools Affected: < 29.6
Affected: >= 30.0, < 30.4
Affected: >= 31.0, < 31.2
Create a notification for this product.
geotools geotools Affected: 0 , < 29.6 (custom)
    cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*
Create a notification for this product.
geotools geotools Affected: 30.0 , < 30.4 (custom)
    cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*
Create a notification for this product.
geotools geotools Affected: 31.0 , < 31.2 (custom)
    cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "geotools",
            "vendor": "geotools",
            "versions": [
              {
                "lessThan": "29.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "geotools",
            "vendor": "geotools",
            "versions": [
              {
                "lessThan": "30.4",
                "status": "affected",
                "version": "30.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "geotools",
            "vendor": "geotools",
            "versions": [
              {
                "lessThan": "31.2",
                "status": "affected",
                "version": "31.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36404",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-12T03:55:24.839633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-15T12:17:05.059Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:37:05.024Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
          },
          {
            "name": "https://github.com/geotools/geotools/pull/4797",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/geotools/geotools/pull/4797"
          },
          {
            "name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
          },
          {
            "name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
          },
          {
            "name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
          },
          {
            "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "geotools",
          "vendor": "geotools",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 29.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 30.0, \u003c 30.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 31.0, \u003c 31.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one\u0027s application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-02T13:39:35.716Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
        },
        {
          "name": "https://github.com/geotools/geotools/pull/4797",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/geotools/geotools/pull/4797"
        },
        {
          "name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
        },
        {
          "name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
        },
        {
          "name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
        },
        {
          "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
        }
      ],
      "source": {
        "advisory": "GHSA-w3pj-wh35-fq8w",
        "discovery": "UNKNOWN"
      },
      "title": "GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-36404",
    "datePublished": "2024-07-02T13:39:35.716Z",
    "dateReserved": "2024-05-27T15:59:57.031Z",
    "dateUpdated": "2024-08-02T03:37:05.024Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-36401 (GCVE-0-2024-36401)

Vulnerability from cvelistv5 – Published: 2024-07-01 15:25 – Updated: 2025-10-21 22:56
VLAI
Title
Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
SSVC
Exploitation: active Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
Impacted products
Vendor Product Version
geoserver geoserver Affected: >= 2.23.0, < 2.23.6
Affected: >= 2.24.0, < 2.24.4
Affected: >= 2.25.0, < 2.25.2
Affected: < 2.22.6
Create a notification for this product.
geoserver geoserver Affected: 0 , < 2.23.6 (custom)
    cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
Create a notification for this product.
geoserver geoserver Affected: 2.24.0 , < 2.24.4 (custom)
    cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*
Create a notification for this product.
geoserver geoserver Affected: 2.25.0 , < 2.25.2 (custom)
    cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "geoserver",
            "vendor": "geoserver",
            "versions": [
              {
                "lessThan": "2.23.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "geoserver",
            "vendor": "geoserver",
            "versions": [
              {
                "lessThan": "2.24.4",
                "status": "affected",
                "version": "2.24.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "geoserver",
            "vendor": "geoserver",
            "versions": [
              {
                "lessThan": "2.25.2",
                "status": "affected",
                "version": "2.25.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36401",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-13T03:55:17.574252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2024-07-15",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:56:21.450Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2024-07-15T00:00:00.000Z",
            "value": "CVE-2024-36401 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-19T07:47:49.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
          },
          {
            "name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
          },
          {
            "name": "https://github.com/geotools/geotools/pull/4797",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/geotools/geotools/pull/4797"
          },
          {
            "name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
          },
          {
            "name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "geoserver",
          "vendor": "geoserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.23.0, \u003c 2.23.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.24.0, \u003c 2.24.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.25.0, \u003c 2.25.2"
            },
            {
              "status": "affected",
              "version": "\u003c 2.22.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-19T14:55:46.536Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
        },
        {
          "name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
        },
        {
          "name": "https://github.com/geotools/geotools/pull/4797",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/geotools/geotools/pull/4797"
        },
        {
          "name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
        },
        {
          "name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
        }
      ],
      "source": {
        "advisory": "GHSA-6jj6-gm7p-fcvv",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-36401",
    "datePublished": "2024-07-01T15:25:41.873Z",
    "dateReserved": "2024-05-27T15:59:57.030Z",
    "dateUpdated": "2025-10-21T22:56:21.450Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-32649 (GCVE-0-2024-32649)

Vulnerability from cvelistv5 – Published: 2024-04-25 17:53 – Updated: 2024-08-02 02:13
VLAI
Title
vyper performs double eval of the argument of sqrt
Summary
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
Impacted products
Vendor Product Version
vyperlang vyper Affected: <= 0.3.10
Create a notification for this product.
vyperlang vyper Affected: *
    cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "vyper",
            "vendor": "vyperlang",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32649",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-29T12:16:42.844342Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:52:16.841Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:13:40.270Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.3.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn\u0027t cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-25T17:53:01.072Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h"
        }
      ],
      "source": {
        "advisory": "GHSA-5jrj-52x8-m64h",
        "discovery": "UNKNOWN"
      },
      "title": "vyper performs double eval of the argument of sqrt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32649",
    "datePublished": "2024-04-25T17:53:01.072Z",
    "dateReserved": "2024-04-16T14:15:26.876Z",
    "dateUpdated": "2024-08-02T02:13:40.270Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design Implementation

Strategy: Refactoring

If possible, refactor your code so that it does not need to use eval() at all.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
  • Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.