{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-24T16:51:40.951Z", "datePublished": "2024-08-01T14:33:46.684Z", "dateUpdated": "2024-08-07T14:23:43.106Z"}, "containers": {"cna": {"title": "Elektra vulnerable to remote code execution in universal search", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:X/RL:O/RC:C", "version": "3.1"}}], "references": [{"name": "https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q"}, {"name": "https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d", "tags": ["x_refsource_MISC"], "url": "https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d"}, {"name": "https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02", "tags": ["x_refsource_MISC"], "url": "https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02"}], "affected": [{"vendor": "sapcc", "product": "elektra", "versions": [{"version": "< 8bce00be93b95a6512ff68fe86bf9554e486bc02", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-01T14:33:46.684Z"}, "descriptions": [{"lang": "en", "value": "Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02."}], "source": {"advisory": "GHSA-6j2h-486h-487q", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "sapcc", "product": "elektra", "cpes": ["cpe:2.3:a:sapcc:elektra:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "8bce00be93b95a6512ff68fe86bf9554e486bc02", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T14:22:09.735872Z", "id": "CVE-2024-41961", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T14:23:43.106Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-07T14:22:09.735872Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sapcc:elektra:*:*:*:*:*:*:*:*"], "vendor": "sapcc", "product": "elektra", "versions": [{"status": "affected", "version": "0", "lessThan": "8bce00be93b95a6512ff68fe86bf9554e486bc02", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T14:23:36.808Z"}}], "cna": {"title": "Elektra vulnerable to remote code execution in universal search", "source": {"advisory": "GHSA-6j2h-486h-487q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:X/RL:O/RC:C", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sapcc", "product": "elektra", "versions": [{"status": "affected", "version": "< 8bce00be93b95a6512ff68fe86bf9554e486bc02"}]}], "references": [{"url": "https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q", "name": "https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d", "name": "https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02", "name": "https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-01T14:33:46.684Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41961", "state": "PUBLISHED", "dateUpdated": "2024-08-07T14:23:43.106Z", "dateReserved": "2024-07-24T16:51:40.951Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-01T14:33:46.684Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02."}, {"lang": "es", "value": " Elektra es un panel de Openstack obstinado para operadores y consumidores de servicios Openstack. Se encontr\u00f3 una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en la funcionalidad de b\u00fasqueda en vivo de la aplicaci\u00f3n web Elektra basada en Ruby on Rails. Un usuario autenticado puede crear un t\u00e9rmino de b\u00fasqueda que contenga c\u00f3digo Ruby, que luego fluye hacia un receptor \"eval\" que ejecuta el c\u00f3digo. Corregido en la confirmaci\u00f3n 8bce00be93b95a6512ff68fe86bf9554e486bc02."}], "id": "CVE-2024-41961", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-01T15:15:14.310", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d"}, {"source": "security-advisories@github.com", "url": "https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02"}, {"source": "security-advisories@github.com", "url": "https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}