CVE-2024-48050

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Nov 4, 2024 / Updated: 15d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

In agentscope versions 0.0.4 and earlier, there is a critical security vulnerability in the file agentscope\web\workstation\workflow_utils.py. The function is_callable_expression contains a line that uses the eval() function to execute user-provided commands directly. This vulnerability is classified as an Eval Injection, which falls under the category of Improper Neutralization of Directives in Dynamically Evaluated Code.

Impact

This vulnerability allows attackers to execute arbitrary code on the affected system. By exploiting this flaw, malicious actors could potentially: 1. Execute unauthorized commands with the privileges of the application 2. Access, modify, or delete sensitive data 3. Install malware or backdoors 4. Use the compromised system as a launching point for further attacks 5. Potentially escalate privileges if the application is running with elevated permissions The vulnerability leverages executable code in non-executable files, which can bypass security controls and lead to severe system compromise. The CVSS v3.1 base score for this vulnerability is 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates: - Network-based attack vector (AV:N) - Low attack complexity (AC:L) - No privileges required (PR:N) - No user interaction needed (UI:N) - Unchanged scope (S:U) - High impact on confidentiality, integrity, and availability (C:H/I:H/A:H)

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in versions newer than 0.0.4 of agentscope. Users should update to the latest version immediately to mitigate this risk.

Mitigation

1. Update agentscope to the latest version (higher than 0.0.4) immediately. 2. If immediate updating is not possible, consider temporarily disabling or restricting access to the affected component until the update can be applied. 3. Implement strict input validation and sanitization for any user-provided data that might be processed by the application. 4. Apply the principle of least privilege to the application, ensuring it runs with minimal necessary permissions. 5. Use code analysis tools to detect and prevent the use of dangerous functions like eval() in your codebase. 6. Implement additional security layers such as Web Application Firewalls (WAF) to help detect and block potential injection attacks. 7. Regularly audit and review code, especially focusing on areas that handle user input or dynamic code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48050

Nov 4, 2024 at 11:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48050. See article

Nov 4, 2024 at 11:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 4, 2024 at 11:21 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 5, 2024 at 12:31 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 5, 2024 at 10:05 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 6, 2024 at 9:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Apache
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files
+null more

Vendor Advisory

[GHSA-6p55-qr3j-mpgq] AgentScope uses `eval`
GitHub Security Advisory: GHSA-6p55-qr3j-mpgq Release Date: 2024-11-05 Update Date: 2024-11-05 Severity: High CVE-2024-48050 Package Information Package: agentscope Affected Versions: Patched Versions: None Description In agentscope References https://nvd.nist.gov/vuln/detail/CVE-2024-48050 https://gist.github.com/AfterSnows/0ad9d233a9d2a5b7e6e5273e2e23508d https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Code-Execution-via-The-use-of-eval-in-is_callable_expression-and-sanitize_nod-cd4ea6c576da4e0b965ef596855c298d https://github.com/modelscope/agentscope/blob/main/src/agentscope/web/workstation/workflow_utils.py#L11

News

AgentScope uses `eval`
In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands.
CVE-2024-48050
Critical Severity Description In agentscope Read more at https://www.tenable.com/cve/CVE-2024-48050
[GHSA-6p55-qr3j-mpgq] AgentScope uses `eval`
GitHub Security Advisory: GHSA-6p55-qr3j-mpgq Release Date: 2024-11-05 Update Date: 2024-11-05 Severity: High CVE-2024-48050 Package Information Package: agentscope Affected Versions: Patched Versions: None Description In agentscope References https://nvd.nist.gov/vuln/detail/CVE-2024-48050 https://gist.github.com/AfterSnows/0ad9d233a9d2a5b7e6e5273e2e23508d https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Code-Execution-via-The-use-of-eval-in-is_callable_expression-and-sanitize_nod-cd4ea6c576da4e0b965ef596855c298d https://github.com/modelscope/agentscope/blob/main/src/agentscope/web/workstation/workflow_utils.py#L11
CVE-2024-48050 - Exploits &amp; Severity - Feedly
Feedly estimated the CVSS score as HIGH. Nov 4, 2024 at 3:21 PM. Static CVE Timeline Graph. Affected Systems. Apache. +0 more. News. NA - CVE-2024- ...
NA - CVE-2024-48050 - In agentscope
In agentscope
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI