Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-41961

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-01 Aug, 2024 | 14:33
Updated At-07 Aug, 2024 | 14:23
Rejected At-
Credits

Elektra vulnerable to remote code execution in universal search

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:01 Aug, 2024 | 14:33
Updated At:07 Aug, 2024 | 14:23
Rejected At:
▼CVE Numbering Authority (CNA)
Elektra vulnerable to remote code execution in universal search

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.

Affected Products
Vendor
sapcc
Product
elektra
Versions
Affected
  • < 8bce00be93b95a6512ff68fe86bf9554e486bc02
Problem Types
TypeCWE IDDescription
CWECWE-94CWE-94: Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: CWE-94: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.19.2CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:X/RL:O/RC:C
Version: 3.1
Base score: 9.2
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:X/RL:O/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q
x_refsource_CONFIRM
https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d
x_refsource_MISC
https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02
x_refsource_MISC
Hyperlink: https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d
Resource:
x_refsource_MISC
Hyperlink: https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
sapcc
Product
elektra
CPEs
  • cpe:2.3:a:sapcc:elektra:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 8bce00be93b95a6512ff68fe86bf9554e486bc02 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:01 Aug, 2024 | 15:15
Updated At:01 Aug, 2024 | 16:45

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-94Secondarysecurity-advisories@github.com
CWE ID: CWE-94
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44dsecurity-advisories@github.com
N/A
https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02security-advisories@github.com
N/A
https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487qsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found