Cyber Resilience

CVE-2024-0195

MediumPublic PoC

Published: 02 January 2024

Published
02 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.9170 99.7th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0195 is a medium-severity Code Injection (CWE-94) vulnerability in Ssssssss Spider-Flow. Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability classified as code injection was identified in spider-flow version 0.4.3, specifically in the FunctionService.saveFunction method within src/main/java/org/spiderflow/controller/FunctionController.java. The flaw, tracked as CVE-2024-0195 and assigned CWE-94, permits remote attackers to supply crafted input that results in arbitrary code execution on the affected server.

An attacker with low-privileged credentials can exploit the issue over the network without user interaction, achieving limited impacts to confidentiality, integrity, and availability as reflected in the CVSS 6.3 score. Public proof-of-concept code has been released, enabling straightforward reproduction of remote code execution against unpatched instances.

The provided references consist primarily of a detailed exploit write-up and Vuldb entries; no official vendor advisory or patch information is included. The EPSS score currently stands at 0.9170 with a recorded peak of 0.9629, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed…

more

to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ssssssss
spider-flow
0.4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References