{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49361", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-14T13:56:34.810Z", "datePublished": "2024-10-18T18:55:42.604Z", "dateUpdated": "2024-10-18T20:41:16.532Z"}, "containers": {"cna": {"title": "Potential Vulnerability in ACON Library: Improper Input Validation Leading to Malicious Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9"}], "affected": [{"vendor": "torinriley", "product": "ACON", "versions": [{"version": "<= 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-18T18:55:42.604Z"}, "descriptions": [{"lang": "en", "value": "ACON is a widely-used library of tools for machine learning that focuses on adaptive correlation optimization. A potential vulnerability has been identified in the input validation process, which could lead to arbitrary code execution if exploited. This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. All users utilizing ACON\u2019s input-handling functions are potentially at risk. Specifically, machine learning models or applications that ingest user-generated data without proper sanitization are the most vulnerable. Users running ACON on production servers are at heightened risk, as the vulnerability could be exploited remotely. As of time of publication, it is unclear whether a fix is available."}], "source": {"advisory": "GHSA-345g-6rmp-3cv9", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "acon", "product": "acon", "cpes": ["cpe:2.3:a:acon:acon:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-18T19:57:13.221660Z", "id": "CVE-2024-49361", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T20:41:16.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49361", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-18T19:57:13.221660Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:acon:acon:*:*:*:*:*:*:*:*"], "vendor": "acon", "product": "acon", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T20:40:58.626Z"}}], "cna": {"title": "Potential Vulnerability in ACON Library: Improper Input Validation Leading to Malicious Code Execution", "source": {"advisory": "GHSA-345g-6rmp-3cv9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "torinriley", "product": "ACON", "versions": [{"status": "affected", "version": "<= 1.1.0"}]}], "references": [{"url": "https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9", "name": "https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ACON is a widely-used library of tools for machine learning that focuses on adaptive correlation optimization. A potential vulnerability has been identified in the input validation process, which could lead to arbitrary code execution if exploited. This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. All users utilizing ACON\u2019s input-handling functions are potentially at risk. Specifically, machine learning models or applications that ingest user-generated data without proper sanitization are the most vulnerable. Users running ACON on production servers are at heightened risk, as the vulnerability could be exploited remotely. As of time of publication, it is unclear whether a fix is available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-18T18:55:42.604Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49361", "state": "PUBLISHED", "dateUpdated": "2024-10-18T20:41:16.532Z", "dateReserved": "2024-10-14T13:56:34.810Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-18T18:55:42.604Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ACON is a widely-used library of tools for machine learning that focuses on adaptive correlation optimization. A potential vulnerability has been identified in the input validation process, which could lead to arbitrary code execution if exploited. This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. All users utilizing ACON\u2019s input-handling functions are potentially at risk. Specifically, machine learning models or applications that ingest user-generated data without proper sanitization are the most vulnerable. Users running ACON on production servers are at heightened risk, as the vulnerability could be exploited remotely. As of time of publication, it is unclear whether a fix is available."}, {"lang": "es", "value": "ACON es una librer\u00eda de herramientas de aprendizaje autom\u00e1tico ampliamente utilizada que se centra en la optimizaci\u00f3n de la correlaci\u00f3n adaptativa. Se ha identificado una vulnerabilidad potencial en el proceso de validaci\u00f3n de entrada, que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario si se explota. Este problema podr\u00eda permitir que un atacante env\u00ede datos de entrada maliciosos, evitando la validaci\u00f3n de entrada, lo que da como resultado la ejecuci\u00f3n remota de c\u00f3digo en ciertas aplicaciones de aprendizaje autom\u00e1tico que utilizan la librer\u00eda ACON. Todos los usuarios que utilizan las funciones de manejo de entrada de ACON corren un riesgo potencial. En concreto, los modelos o aplicaciones de aprendizaje autom\u00e1tico que ingieren datos generados por el usuario sin una desinfecci\u00f3n adecuada son los m\u00e1s vulnerables. Los usuarios que ejecutan ACON en servidores de producci\u00f3n corren un mayor riesgo, ya que la vulnerabilidad podr\u00eda explotarse de forma remota. Al momento de la publicaci\u00f3n, no est\u00e1 claro si hay una soluci\u00f3n disponible."}], "id": "CVE-2024-49361", "lastModified": "2024-10-21T17:10:22.857", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-18T19:15:14.393", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}