Description
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7).

Published: 2024-05-02
Score: 9.8 Critical
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4f92-w438-f484 CraftBeerPi 4 allows arbitrary code execution
History

No history.

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2024-08-01T20:26:57.228Z

Reserved: 2024-04-18T15:36:37.809Z

Link: CVE-2024-3955

cve-icon Vulnrichment

Updated: 2024-08-01T20:26:57.228Z

cve-icon NVD

Status : Deferred

Published: 2024-05-02T10:15:08.630

Modified: 2026-06-17T07:45:32.740

Link: CVE-2024-3955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')