CVE-2024-5337

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: May 25, 2024 / Updated: 5mo ago

010
CVSS 5.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical command injection vulnerability (CVE-2024-5337) affects Ruijie RG-UAC up to version 20240516. The vulnerability exists in the processing of the /view/systemConfig/sys_user/user_commit.php file, where the manipulation of the email2/user_name argument leads to operating system command injection. This allows an unauthenticated remote attacker to execute arbitrary commands on the system.

Impact

This vulnerability could allow an attacker to fully compromise the affected system and potentially gain complete control over it. They could execute malicious code, install malware, steal sensitive data, or cause denial of service conditions. The impact is severe as it gives the attacker a high level of access and capabilities on the vulnerable system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vendor has not provided any patched software versions at this time to address CVE-2024-5337. However, they were notified about this vulnerability.

Mitigation

Apply the latest software updates from the vendor that address CVE-2024-5337. Implement input validation and sanitization to prevent OS command injection attacks. Follow the principle of least privilege and run processes with minimal required permissions. Deploy a web application firewall (WAF) with rules to detect and block command injection attempts.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-5337. See article

May 25, 2024 at 3:06 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

May 25, 2024 at 3:07 PM
CVE Assignment

NVD published the first details for CVE-2024-5337

May 25, 2024 at 3:15 PM
CVSS

A CVSS base score of 4.7 has been assigned.

May 25, 2024 at 3:20 PM / nvd
Trending

This CVE started to trend in security discussions

May 25, 2024 at 4:02 PM
Trending

This CVE stopped trending in security discussions

May 25, 2024 at 10:12 PM
Trending

This CVE started to trend in security discussions

May 25, 2024 at 10:29 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 15.8%)

May 26, 2024 at 10:43 AM
Trending

This CVE stopped trending in security discussions

May 27, 2024 at 12:52 AM
Static CVE Timeline Graph

Affected Systems

Ruijie/rg-uac
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-5337
Medium Severity Description A vulnerability was found in Ruijie RG-UAC up to 20240516 and classified as critical. This issue affects some unknown processing of the file /view/systemConfig/sys_user/user_commit.php. The manipulation of the argument email2/user_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266243. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Read more at https://www.tenable.com/cve/CVE-2024-5337
NA - CVE-2024-5337 - A vulnerability was found in Ruijie RG-UAC up...
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. CWE : Common Weakness Enumeration
CVE-2024-5337
Gravedad 3.1 (CVSS 3.1 Base Score) A vulnerability was found in Ruijie RG-UAC up to 20240516 and classified as critical.
CVE-2024-5337
A vulnerability was found in Ruijie RG-UAC up to 20240516 and classified as critical. This issue affects some unknown processing of the file /view/systemConfig/sys_user/user_commit.php. The manipulation of the argument email2/user_name leads to os command injection. The attack may be initiated CVE-2024-5337 originally published on CyberSecurityBoard
Critical Vulnerability in Ruijie RG-UAC Affects Unknown Processing of File /view/systemConfig/sys_user/user_commit.php, Leading to OS Command Injection Remotely
Ruijie - MEDIUM - CVE-2024-5337 A vulnerability was found in Ruijie RG-UAC up to 20240516 and classified as critical. This issue affects some unknown processing of the file /view/systemConfig/sys_user/user_commit.php. The manipulation of the argument email2/user_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266243. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI