{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4748", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-05-10T11:25:24.322Z", "datePublished": "2024-06-24T13:52:12.451Z", "dateUpdated": "2024-10-10T15:36:20.059Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "CRUDDIY", "repo": "https://github.com/jan-vandenberg/cruddiy", "vendor": "CRUDDIY", "versions": [{"lessThanOrEqual": "202312.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c (CERT.PL)"}], "datePublic": "2024-06-24T12:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.&nbsp;<br>The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server.&nbsp;"}], "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.\u00a0\nThe exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server."}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:36:20.059Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/06/CVE-2024-4748"}, {"tags": ["issue-tracking"], "url": "https://github.com/jan-vandenberg/cruddiy/issues/67"}], "source": {"discovery": "UNKNOWN"}, "title": "RCE in Cruddiy", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "cruddiy", "product": "cruddiy", "cpes": ["cpe:2.3:a:cruddiy:cruddiy:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "202312.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T14:02:18.641194Z", "id": "CVE-2024-4748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T14:10:04.322Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:47:41.697Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/06/CVE-2024-4748"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/jan-vandenberg/cruddiy/issues/67"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-4748", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://github.com/jan-vandenberg/cruddiy/issues/67", "tags": ["issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:47:41.697Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-25T14:02:18.641194Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cruddiy:cruddiy:*:*:*:*:*:*:*:*"], "vendor": "cruddiy", "product": "cruddiy", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "202312.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T14:04:31.462Z"}}], "cna": {"title": "RCE in Cruddiy", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c (CERT.PL)"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/jan-vandenberg/cruddiy", "vendor": "CRUDDIY", "product": "CRUDDIY", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "202312.1"}], "defaultStatus": "unknown"}], "datePublic": "2024-06-24T12:00:00.000Z", "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-4748", "tags": ["third-party-advisory"]}, {"url": "https://github.com/jan-vandenberg/cruddiy/issues/67", "tags": ["issue-tracking"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.\u00a0\nThe exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server.", "supportingMedia": [{"type": "text/html", "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.&nbsp;<br>The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server.&nbsp;", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:36:20.059Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4748", "state": "PUBLISHED", "dateUpdated": "2024-10-10T15:36:20.059Z", "dateReserved": "2024-05-10T11:25:24.322Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-06-24T13:52:12.451Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:j11g:cruddiy:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5908333-F478-4071-A90D-BEC428110174", "versionEndIncluding": "202312.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.\u00a0\nThe exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server."}, {"lang": "es", "value": "El proyecto CRUDDIY es vulnerable a la inyecci\u00f3n de comandos de shell mediante el env\u00edo de una solicitud POST manipulada al servidor de aplicaciones. El riesgo de explotaci\u00f3n es limitado ya que CRUDDIY debe lanzarse localmente. Sin embargo, un usuario con el proyecto ejecut\u00e1ndose en su computadora podr\u00eda visitar un sitio web que enviar\u00eda una solicitud maliciosa al servidor iniciado localmente."}], "id": "CVE-2024-4748", "lastModified": "2024-11-21T09:43:30.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cvd@cert.pl", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-24T14:15:13.030", "references": [{"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/06/CVE-2024-4748"}, {"source": "cvd@cert.pl", "tags": ["Issue Tracking"], "url": "https://github.com/jan-vandenberg/cruddiy/issues/67"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/06/CVE-2024-4748"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/jan-vandenberg/cruddiy/issues/67"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cvd@cert.pl", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}