OpenCVE

Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute). This issue has been addressed in version 3.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h

History

Tue, 13 Aug 2024 21:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:projectdiscovery:nuclei:3.0.0:::::::*
Vendors & Products	Projectdiscovery Projectdiscovery nuclei
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-17T17:34:10.792Z

Updated: 2024-08-13T20:55:48.064Z

Reserved: 2024-07-08T16:13:15.512Z

Link: CVE-2024-40641

Vulnrichment

Updated: 2024-08-02T04:33:11.961Z

NVD

Status : Awaiting Analysis

Published: 2024-07-17T18:15:05.020

Modified: 2024-11-21T09:31:24.887

Link: CVE-2024-40641

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40641", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-08T16:13:15.512Z", "datePublished": "2024-07-17T17:34:10.792Z", "dateUpdated": "2024-08-13T20:55:48.064Z"}, "containers": {"cna": {"title": "Unsigned code template execution through workflows in projectdiscovery/nuclei", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"}], "affected": [{"vendor": "projectdiscovery", "product": "nuclei", "versions": [{"version": ">= 3.0.0, < 3.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-17T17:34:10.792Z"}, "descriptions": [{"lang": "en", "value": "Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute). This issue has been addressed in version 3.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-c3q9-c27p-cw9h", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "projectdiscovery", "product": "nuclei", "cpes": ["cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.0.0", "status": "affected", "lessThan": "3.3.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-30T17:18:43.495871Z", "id": "CVE-2024-40641", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T20:55:48.064Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.961Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h", "name": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.961Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40641", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-30T17:18:43.495871Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:*:*:*"], "vendor": "projectdiscovery", "product": "nuclei", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.3.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T17:20:20.895Z"}}], "cna": {"title": "Unsigned code template execution through workflows in projectdiscovery/nuclei", "source": {"advisory": "GHSA-c3q9-c27p-cw9h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "projectdiscovery", "product": "nuclei", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.3.0"}]}], "references": [{"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h", "name": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute). This issue has been addressed in version 3.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-17T17:34:10.792Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40641", "state": "PUBLISHED", "dateUpdated": "2024-08-13T20:55:48.064Z", "dateReserved": "2024-07-08T16:13:15.512Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-17T17:34:10.792Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute). This issue has been addressed in version 3.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Nuclei es un esc\u00e1ner de vulnerabilidades r\u00e1pido y personalizable basado en DSL simple basado en YAML. En las versiones afectadas se ha descubierto una forma de ejecutar una plantilla de c\u00f3digo sin la opci\u00f3n -code ni la firma. Algunas aplicaciones web heredan de Nuclei y permiten a los usuarios editar y ejecutar archivos de flujo de trabajo. En este caso, los usuarios pueden ejecutar comandos arbitrarios. (Aunque, hasta donde yo s\u00e9, la mayor\u00eda de las aplicaciones web usan -t para ejecutar). Este problema se solucion\u00f3 en la versi\u00f3n 3.3.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-40641", "lastModified": "2024-11-21T09:31:24.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-17T18:15:05.020", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}