FKIE_CVE-2024-4748

Vulnerability from fkie_nvd - Published: 2024-06-24 14:15 - Updated: 2026-06-17 08:02
Severity
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.  The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server.
References
cvd@cert.plhttps://cert.pl/en/posts/2024/06/CVE-2024-4748Third Party Advisory
cvd@cert.plhttps://cert.pl/posts/2024/06/CVE-2024-4748Third Party Advisory
cvd@cert.plhttps://github.com/jan-vandenberg/cruddiy/issues/67Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://cert.pl/en/posts/2024/06/CVE-2024-4748Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://cert.pl/posts/2024/06/CVE-2024-4748Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/jan-vandenberg/cruddiy/issues/67Issue Tracking
Impacted products
Vendor Product Version
j11g cruddiy *
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unknown",
          "product": "CRUDDIY",
          "repo": "https://github.com/jan-vandenberg/cruddiy",
          "vendor": "CRUDDIY",
          "versions": [
            {
              "lessThanOrEqual": "202312.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "cvd@cert.pl"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:2.3:a:cruddiy:cruddiy:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "product": "cruddiy",
          "vendor": "cruddiy",
          "versions": [
            {
              "lessThanOrEqual": "202312.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:j11g:cruddiy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5908333-F478-4071-A90D-BEC428110174",
              "versionEndIncluding": "202312.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.\u00a0\nThe exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server."
    },
    {
      "lang": "es",
      "value": "El proyecto CRUDDIY es vulnerable a la inyecci\u00f3n de comandos de shell mediante el env\u00edo de una solicitud POST manipulada al servidor de aplicaciones. El riesgo de explotaci\u00f3n es limitado ya que CRUDDIY debe lanzarse localmente. Sin embargo, un usuario con el proyecto ejecut\u00e1ndose en su computadora podr\u00eda visitar un sitio web que enviar\u00eda una solicitud maliciosa al servidor iniciado localmente."
    }
  ],
  "id": "CVE-2024-4748",
  "lastModified": "2026-06-17T08:02:33.057",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "cvd@cert.pl",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2024-4748",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-06-25T14:02:18.641194Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-06-24T14:15:13.030",
  "references": [
    {
      "source": "cvd@cert.pl",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748"
    },
    {
      "source": "cvd@cert.pl",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://cert.pl/posts/2024/06/CVE-2024-4748"
    },
    {
      "source": "cvd@cert.pl",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/jan-vandenberg/cruddiy/issues/67"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://cert.pl/posts/2024/06/CVE-2024-4748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/jan-vandenberg/cruddiy/issues/67"
    }
  ],
  "sourceIdentifier": "cvd@cert.pl",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "cvd@cert.pl",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.