CVE-2024-12358
Published: 09 December 2024
Summary
CVE-2024-12358 is a medium-severity Command Injection (CWE-77) vulnerability in Datax-Web Project Datax-Web. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-12358 is an OS command injection vulnerability in WeiYe-Jing datax-web version 2.1.1. The flaw resides in an unknown portion of the /api/job/add/ endpoint, where unsanitized input to the glueSource argument is passed to the operating system, enabling arbitrary command execution. It is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3.
The issue can be exploited remotely by an authenticated user without user interaction. An attacker who supplies a malicious glueSource value can execute operating-system commands on the underlying host, potentially leading to limited impacts on confidentiality, integrity, and availability within the application context. A public proof-of-concept has been released.
The EPSS score has remained flat at 0.0513 with no material increase since disclosure. The referenced advisories and disclosure entries focus on the existence of the flaw and the availability of exploit details rather than on patches or configuration workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50803
Vulnerability details
A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. It is possible to initiate the…
more
attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.