{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-35515", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-18T19:00:10.214Z", "dateReserved": "2024-05-17T00:00:00", "datePublished": "2024-09-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-09-18T15:09:45.568902"}, "descriptions": [{"lang": "en", "value": "Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/piskvorky/sqlitedict/"}, {"url": "https://wha13.github.io/2024/06/13/mfcve/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "affected": [{"vendor": "sqlitedict", "product": "sqlitedict", "cpes": ["cpe:2.3:a:sqlitedict:sqlitedict:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T17:38:55.035100Z", "id": "CVE-2024-35515", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T19:00:10.214Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35515", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-18T17:38:55.035100Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sqlitedict:sqlitedict:*:*:*:*:*:*:*:*"], "vendor": "sqlitedict", "product": "sqlitedict", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T17:41:46.289Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/piskvorky/sqlitedict/"}, {"url": "https://wha13.github.io/2024/06/13/mfcve/"}], "descriptions": [{"lang": "en", "value": "Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-09-18T15:09:45.568902"}}}, "cveMetadata": {"cveId": "CVE-2024-35515", "state": "PUBLISHED", "dateUpdated": "2024-09-18T19:00:10.214Z", "dateReserved": "2024-05-17T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-09-18T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code."}, {"lang": "es", "value": "La deserializaci\u00f3n insegura en sqlitedict hasta v2.1.0 permite a los atacantes ejecutar c\u00f3digo arbitrario."}], "id": "CVE-2024-35515", "lastModified": "2024-09-20T12:30:17.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-18T15:15:14.843", "references": [{"source": "[email protected]", "url": "https://github.com/piskvorky/sqlitedict/"}, {"source": "[email protected]", "url": "https://wha13.github.io/2024/06/13/mfcve/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "sqlitedict: arbitrary code execution via insecure deserialization", "id": "2313352", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313352"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-502", "details": ["Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.", "A flaw was found in sqlitedict. An attacker may be able leverage an insecure deserialization vulnerability to execute arbitrary code."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-35515", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2024-09-18T15:15:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35515\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35515\nhttps://github.com/piskvorky/sqlitedict/\nhttps://wha13.github.io/2024/06/13/mfcve/"], "threat_severity": "Moderate"}