CVE-2024-49774 (GCVE-0-2024-49774)
Vulnerability from cvelistv5 – Published: 2024-11-05 18:37 – Updated: 2024-11-05 18:59
VLAI?
Title
ModuleScanner flaws in SuiteCRM
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| salesagility | SuiteCRM |
Affected:
< 7.14.6
Affected: >= 8.0.0, < 8.7.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:58:36.364666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:59:06.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn\u0027t take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:37:05.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227"
}
],
"source": {
"advisory": "GHSA-9v56-vhp4-x227",
"discovery": "UNKNOWN"
},
"title": "ModuleScanner flaws in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49774",
"datePublished": "2024-11-05T18:37:05.422Z",
"dateReserved": "2024-10-18T13:43:23.459Z",
"dateUpdated": "2024-11-05T18:59:06.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.14.6\", \"matchCriteriaId\": \"CA0F70A0-D9EC-477C-B064-B3BF05F267C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.7.1\", \"matchCriteriaId\": \"8D8D3AE6-92A3-4A31-82D8-4B0EA8DF78CC\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn\u0027t take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"SuiteCRM es una aplicaci\\u00f3n de software de gesti\\u00f3n de relaciones con clientes (CRM) de c\\u00f3digo abierto y preparada para empresas. SuiteCRM se basa en la lista negra de funciones/m\\u00e9todos para evitar la instalaci\\u00f3n de MLP maliciosos. Pero estas comprobaciones se pueden omitir con algunas construcciones de sintaxis. SuiteCRM utiliza token_get_all para analizar scripts PHP y comprobar el AST resultante con listas negras. Pero no tiene en cuenta todos los escenarios. Este problema se ha solucionado en las versiones 7.14.6 y 8.7.1. Se recomienda a los usuarios que actualicen. No existen workarounds conocidas para esta vulnerabilidad.\"}]",
"id": "CVE-2024-49774",
"lastModified": "2024-11-13T20:40:26.100",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}]}",
"published": "2024-11-05T19:15:06.410",
"references": "[{\"url\": \"https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-49774\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-05T19:15:06.410\",\"lastModified\":\"2024-11-13T20:40:26.100\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn\u0027t take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con clientes (CRM) de c\u00f3digo abierto y preparada para empresas. SuiteCRM se basa en la lista negra de funciones/m\u00e9todos para evitar la instalaci\u00f3n de MLP maliciosos. Pero estas comprobaciones se pueden omitir con algunas construcciones de sintaxis. SuiteCRM utiliza token_get_all para analizar scripts PHP y comprobar el AST resultante con listas negras. Pero no tiene en cuenta todos los escenarios. Este problema se ha solucionado en las versiones 7.14.6 y 8.7.1. Se recomienda a los usuarios que actualicen. No existen workarounds conocidas para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.14.6\",\"matchCriteriaId\":\"CA0F70A0-D9EC-477C-B064-B3BF05F267C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.7.1\",\"matchCriteriaId\":\"8D8D3AE6-92A3-4A31-82D8-4B0EA8DF78CC\"}]}]}],\"references\":[{\"url\":\"https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-49774\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-05T18:58:36.364666Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*\"], \"vendor\": \"salesagility\", \"product\": \"suitecrm\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.14.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.7.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-05T18:59:02.437Z\"}}], \"cna\": {\"title\": \"ModuleScanner flaws in SuiteCRM\", \"source\": {\"advisory\": \"GHSA-9v56-vhp4-x227\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"salesagility\", \"product\": \"SuiteCRM\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.14.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.0.0, \u003c 8.7.1\"}]}], \"references\": [{\"url\": \"https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227\", \"name\": \"https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn\u0027t take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-05T18:37:05.422Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-49774\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-05T18:59:06.730Z\", \"dateReserved\": \"2024-10-18T13:43:23.459Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-05T18:37:05.422Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…