CVE-2024-48746

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component

Impact

This vulnerability has a high severity with a CVSS base score of 9.8. It allows remote attackers to execute arbitrary code, potentially leading to complete system compromise. The attack vector is network-based, requires no user interaction, and can be executed with no privileges. The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as high impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch for this vulnerability.

Mitigation

While no specific mitigation is mentioned, general recommendations would include: 1. Upgrade Power BI to a version newer than v.4.0.0.3 if available. 2. Implement network segmentation to limit access to the affected system. 3. Monitor for suspicious activities related to the Natural language processing component. 4. Apply the principle of least privilege to limit potential damage from exploitation. 5. Disable the Lens Visual integration feature if not essential for operations until a patch is available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48746

Nov 5, 2024 at 11:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48746. See article

Nov 5, 2024 at 11:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 5, 2024 at 11:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 10:25 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 6, 2024 at 5:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Microsoft/power_bi
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

NA - CVE-2024-48746 - An issue in Lens Visual integration with Power...
An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component
CVE-2024-48746 | Lens Visual Power BI 4.0.0.3 Natural language Processing Privilege Escalation
A vulnerability has been found in Lens Visual Power BI 4.0.0.3 and classified as critical . Affected by this vulnerability is an unknown functionality of the component Natural language Processing . The manipulation leads to Privilege Escalation. This vulnerability is known as CVE-2024-48746 . The attack can be launched remotely. There is no exploit available.
CVE-2024-48746 - Power BI Lens Visual Remote Code Execution Vulnerability
CVE ID : CVE-2024-48746 Published : Nov. 5, 2024, 11:15 p.m. 46 minutes ago Description : An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-48746
An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component
CVE-2024-48746
An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing...
See 1 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI