Exploit
CVE-2024-51136

XML Injection (aka Blind XPath Injection) (CWE-91)

Published: Nov 4, 2024 / Updated: 15d ago

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

Summary

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 9.8 out of 10. It allows attackers to potentially access sensitive information or execute arbitrary code on the affected system. The impact on confidentiality, integrity, and availability is rated as HIGH. The attack vector is through the network, requires no user interaction, and can be executed with low attack complexity without needing any privileges.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

There is no information provided about an available patch for this vulnerability in openimaj v1.3.10.

Mitigation

While no specific mitigation steps are provided, general best practices for XXE vulnerabilities include: 1. Disable XML external entity and DTD processing in XML parsers 2. Use less complex data formats like JSON where possible 3. Patch and update the openimaj library to a version that addresses this vulnerability once available 4. Implement strong input validation for any XML data processed by the application 5. Use XML parser security features to prevent XXE attacks

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51136

Nov 4, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-51136. See article

Nov 4, 2024 at 5:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 4, 2024 at 5:21 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.7%)

Nov 5, 2024 at 10:05 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 5, 2024 at 9:40 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Nov 6, 2024 at 10:10 PM
Static CVE Timeline Graph

Affected Systems

Openimaj/openimaj
+null more

Exploits

https://github.com/openimaj/openimaj/issues/382
+null more

Attack Patterns

CAPEC-250: XML Injection
+null more

News

CVE-2024-51136 Exploit
CVE Id : CVE-2024-51136 Published Date: 2024-11-06T19:31:00+00:00 An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. inTheWild added a link to an exploit: https://github.com/openimaj/openimaj/issues/382
Update Tue Nov 5 14:31:28 UTC 2024
Update Tue Nov 5 14:31:28 UTC 2024
NA - CVE-2024-51136 - An XML External Entity (XXE) vulnerability in...
An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file.
CVE-2024-51136 | openimaj 1.3.10 Dmoz2CSV xml external entity reference
A vulnerability was found in openimaj 1.3.10 and classified as problematic . Affected by this issue is some unknown functionality of the component Dmoz2CSV . The manipulation leads to xml external entity reference. This vulnerability is handled as CVE-2024-51136 . The attack needs to be initiated within the local network. There is no exploit available.
CVE-2024-51136 - Openimaj Dmoz2CSV XXE Vulnerability
CVE ID : CVE-2024-51136 Published : Nov. 4, 2024, 5:15 p.m. 46 minutes ago Description : An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI