FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-49361

Improper Input Validation (CWE-20)

Published: Oct 18, 2024 / Updated: 32d ago

010
CVSS 8.1EPSS 0.04%High
CVE info copied to clipboard

Summary

ACON, a widely-used library of tools for machine learning focusing on adaptive correlation optimization, has a potential vulnerability in its input validation process. This could lead to arbitrary code execution if exploited. The issue allows an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library.

Impact

This vulnerability could allow attackers to execute arbitrary code remotely on systems running applications that use the ACON library. All users utilizing ACON's input-handling functions are potentially at risk, with machine learning models or applications that ingest user-generated data without proper sanitization being the most vulnerable. Users running ACON on production servers are at heightened risk, as the vulnerability could be exploited remotely. The potential impacts include unauthorized access to systems, data breaches, and compromise of the affected machine learning applications and their host systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the time of publication, it is unclear whether a fix is available.

Mitigation

While no specific patch is mentioned, potential mitigation strategies could include: 1. Implementing strict input validation and sanitization for all data processed by ACON, especially user-generated input. 2. Limiting the exposure of applications using ACON, particularly those processing user input, to untrusted networks. 3. Monitoring systems for unusual activity that could indicate exploitation attempts. 4. Considering the use of additional security layers, such as Web Application Firewalls (WAF), to filter potentially malicious inputs. 5. Regularly checking for updates from the ACON developers and applying any security patches as soon as they become available.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-49361

Oct 18, 2024 at 7:15 PM
CVSS

A CVSS base score of 8.1 has been assigned.

Oct 18, 2024 at 7:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-49361. See article

Oct 18, 2024 at 7:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 18, 2024 at 7:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 19, 2024 at 9:48 AM
Static CVE Timeline Graph

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

CVE-2024-49361
INCIBE-CERT - Vulnerabilities RSS / 32d
This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. Users running ACON on production servers are at heightened risk, as the vulnerability could be exploited remotely.
NA - CVE-2024-49361 - ACON is a widely-used library of tools for...
Security-Database Alerts Monitor : Last 100 Alerts / 32d
ACON is a widely-used library of tools for machine learning that focuses on adaptive correlation optimization. A potential vulnerability has been identified in the input validation process, which...
Update Fri Oct 18 22:38:54 UTC 2024
Recent Commits to cve:main / 32d
Update Fri Oct 18 22:38:54 UTC 2024
CVE-2024-49361 - Exploits & Severity - Feedly
Google Alert - inoreader OR Feedly OR "Read Less" OR PostGoo OR NewsBlur / 32d
The issue allows an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. This vulnerability could allow attackers to execute arbitrary code remotely on systems running applications that use the ACON library.
CVE-2024-49361 | torinriley ACON up to 1.1.0 input validation (GHSA-345g-6rmp-3cv9)
VulDB Recent Entries / 32d
A vulnerability was found in torinriley ACON up to 1.1.0 and classified as very critical . This issue affects some unknown processing. The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2024-49361 . The attack may be initiated remotely. There is no exploit available.
See 6 more articles and social media posts

CVSS V3.1

Unknown

Categories

CWE-20(11385)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial