CVE-2024-36522
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
Published: Jul 12, 2024 / Updated: 4mo ago

010

CVSS 9.8EPSS 0.04%Critical

CVE info copied to clipboard

Summary

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.

Impact

This vulnerability allows attackers to execute arbitrary code remotely on the affected systems. The impact could be severe, potentially leading to unauthorized access, data theft, system compromise, or further lateral movement within the network. Given that it's related to processing untrusted input, it could be exploited through various attack vectors, including web applications or any system that processes XSLT from external sources.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Mitigation

1. Immediately upgrade to the patched versions: 10.1.0, 9.18.0, or 8.16.0, depending on your current major version. 2. If immediate patching is not possible, implement input validation and sanitization for all data processed by XSLTResourceStream.java, especially from untrusted sources. 3. Limit the processing of XSLT from external or untrusted sources wherever possible. 4. Implement network segmentation to isolate systems that must process potentially untrusted XSLT. 5. Monitor systems for unusual activities that could indicate exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-36522. See article

Jun 2, 2024 at 9:53 AM / announce

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 2, 2024 at 9:53 AM

CVE Assignment

NVD published the first details for CVE-2024-36522

Jul 12, 2024 at 1:15 PM

Trending

This CVE started to trend in security discussions

Jul 12, 2024 at 9:36 PM

EPSS

EPSS Score was set to: 0.04% (Percentile: 9.3%)

Jul 14, 2024 at 2:43 PM

Trending

This CVE stopped trending in security discussions

Jul 14, 2024 at 7:40 PM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5000403)

Jul 15, 2024 at 7:53 AM

Threat Intelligence Report

The vulnerability CVE-2024-36522 has a critical CVSS Base Score of 9.8, indicating its severity. It is currently being exploited in the wild by threat actors, with proof-of-concept exploits available. Mitigations, detections, and patches are not yet available, leading to potential downstream impacts on other third-party vendors or technologies. See article

Jul 18, 2024 at 1:18 PM

CVSS

A CVSS base score of 9.8 has been assigned.

Aug 1, 2024 at 1:56 PM / nvd