Cyber Resilience

CVE-2024-12358

MediumPublic PoC

Published: 09 December 2024

Published
09 December 2024
Modified
10 December 2024
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0513 90.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12358 is a medium-severity Command Injection (CWE-77) vulnerability in Datax-Web Project Datax-Web. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-12358 is an OS command injection vulnerability in WeiYe-Jing datax-web version 2.1.1. The flaw resides in an unknown portion of the /api/job/add/ endpoint, where unsanitized input to the glueSource argument is passed to the operating system, enabling arbitrary command execution. It is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3.

The issue can be exploited remotely by an authenticated user without user interaction. An attacker who supplies a malicious glueSource value can execute operating-system commands on the underlying host, potentially leading to limited impacts on confidentiality, integrity, and availability within the application context. A public proof-of-concept has been released.

The EPSS score has remained flat at 0.0513 with no material increase since disclosure. The referenced advisories and disclosure entries focus on the existence of the flaw and the availability of exploit details rather than on patches or configuration workarounds.

EU & UK References

Vulnerability details

A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. It is possible to initiate the…

more

attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

datax-web project
datax-web
2.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References