CVE-2024-50611

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 27, 2024 / Updated: 23d ago

010
CVSS 7.2EPSS 0.05%High
CVE info copied to clipboard

Summary

CycloneDX cdxgen through version 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts. This is similar to a previously known issue (CVE-2022-24441). It's important to note that this vulnerability has been characterized as a design limitation rather than an implementation mistake. cdxgen is utilized by other tools, including OWASP dep-scan.

Impact

This vulnerability could allow arbitrary code execution when cdxgen is run against an untrusted codebase. Attackers could potentially exploit this by crafting malicious build-related files, such as build.gradle.kts, which would be executed when cdxgen processes the codebase. This could lead to unauthorized access, data theft, or further system compromise. The impact is particularly concerning for security teams and developers who might unknowingly run cdxgen on untrusted or third-party codebases.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. According to the vulnerability data, patch details were added on 2024-10-28, and the vulnerability is marked as patched. For more information about the patch, security teams should refer to the Github Advisory at https://github.com/advisories/GHSA-hxf3-vgpm-fv9p.

Mitigation

1. Update CycloneDX cdxgen to a version newer than 10.10.7 as soon as possible. 2. Exercise caution when running cdxgen against untrusted codebases. 3. Implement additional security measures such as sandboxing or isolation when processing potentially untrusted code. 4. Review and audit any build-related files, especially build.gradle.kts, before running cdxgen. 5. Consider using alternative tools for dependency analysis if immediate patching is not possible. 6. Monitor the official CycloneDX cdxgen repository for further updates and security advisories. 7. If using OWASP dep-scan or other tools that depend on cdxgen, ensure they are also updated to use the patched version of cdxgen.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-50611

Oct 27, 2024 at 10:15 PM
First Article

Feedly found the first article mentioning CVE-2024-50611. See article

Oct 27, 2024 at 10:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 27, 2024 at 10:29 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 28, 2024 at 12:30 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.6%)

Oct 28, 2024 at 10:11 AM
CVSS

A CVSS base score of 7.2 has been assigned.

Oct 30, 2024 at 7:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Cyclonedx
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Vendor Advisory

[GHSA-hxf3-vgpm-fv9p] CycloneDX cdxgen may execute code contained within build-related files
Package: @cyclonedx/cdxgen https://github.com/CycloneDX/cdxgen/releases

News

CycloneDX cdxgen may execute code contained within build-related files
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake.
[GHSA-hxf3-vgpm-fv9p] CycloneDX cdxgen may execute code contained within build-related files
Package: @cyclonedx/cdxgen https://github.com/CycloneDX/cdxgen/releases
NA - CVE-2024-50611 - CycloneDX cdxgen through 10.10.7, when run...
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen...
CVE-2024-50611
Critical Severity Description CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake. Read more at https://www.tenable.com/cve/CVE-2024-50611
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan.
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI