The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.
Metrics
Affected Vendors & Products
References
History
Thu, 12 Dec 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 12 Dec 2024 08:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server. | |
Weaknesses | CWE-94 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2024-12-12T08:15:11.464Z
Updated: 2024-12-12T14:37:18.494Z
Reserved: 2023-12-22T12:33:20.131Z
Link: CVE-2024-21574
Vulnrichment
Updated: 2024-12-12T14:36:43.791Z
NVD
Status : Received
Published: 2024-12-12T09:15:06.037
Modified: 2024-12-12T09:15:06.037
Link: CVE-2024-21574
Redhat
No data.