Vulnerability-Lookup - Search a vulnerability

Vulnerabilites related to InseeFrLab - onyxia

CVE-2024-56333 (GCVE-0-2024-56333)

Vulnerability from cvelistv5

Published

2024-12-20 19:52

Modified

2024-12-24 16:38

Severity ?

9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential consequences such as unauthorized access to other user environments and denial of service attacks. This issue has been patched in api versions 4.2.0, 3.1.1, and 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

▼	URL	Tags
	https://github.com/InseeFrLab/onyxia/security/advisories/GHSA-qmcw-h4f9-j3h3	x_refsource_CONFIRM
	https://docs.onyxia.sh/vulnerability-disclosure/known-vulnerabilities/vulnerability-20241219	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	InseeFrLab	onyxia	Version: < 2.8.2 Version: >= 3.0.0, < 3.1.1 Version: >= 4.0.0, < 4.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56333",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-24T16:38:39.255348Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-24T16:38:50.448Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "onyxia",
          "vendor": "InseeFrLab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.1.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential consequences such as unauthorized access to other user environments and denial of service attacks. This issue has been patched in api versions 4.2.0, 3.1.1, and 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-20T19:52:25.818Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/InseeFrLab/onyxia/security/advisories/GHSA-qmcw-h4f9-j3h3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/InseeFrLab/onyxia/security/advisories/GHSA-qmcw-h4f9-j3h3"
        },
        {
          "name": "https://docs.onyxia.sh/vulnerability-disclosure/known-vulnerabilities/vulnerability-20241219",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.onyxia.sh/vulnerability-disclosure/known-vulnerabilities/vulnerability-20241219"
        }
      ],
      "source": {
        "advisory": "GHSA-qmcw-h4f9-j3h3",
        "discovery": "UNKNOWN"
      },
      "title": "Remote code execution in onyxia-api"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-56333",
    "datePublished": "2024-12-20T19:52:25.818Z",
    "dateReserved": "2024-12-19T18:39:53.612Z",
    "dateUpdated": "2024-12-24T16:38:50.448Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-58366 (GCVE-0-2025-58366)