OS Command Injection in aops-zeus - CVE-2024-24899
Published: March 25, 2024
Vulnerability identifier: #VU87781
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-24899
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
aops-zeus
aops-zeus
Software vendor:
openEuler
openEuler
Description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the plugin management command in the zeus/conf/constant file. A remote authenticated user can inject arbitrary commands to be executed on the remote host.
Remediation
Install updates from vendor's website.
External links
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1292
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1293
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1294
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1291
- https://gitee.com/src-openeuler/aops-zeus/pulls/108
- https://gitee.com/src-openeuler/aops-zeus/pulls/107