Cyber Resilience

CVE-2024-21645

MediumPublic PoC

Published: 08 January 2024

Published
08 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.6910 98.7th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21645 is a medium-severity Injection (CWE-74) vulnerability in Pyload Pyload. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

pyLoad, the open-source Python download manager, contains a log injection vulnerability tracked as CVE-2024-21645. The flaw permits arbitrary messages to be written into the application's logs without authentication, enabling forged or corrupted log entries that could mask attacker activity or falsely implicate another party. It is rated CVSS 5.3 and is assigned CWE-74.

Any unauthenticated remote attacker can exploit the issue over the network to inject chosen content into pyLoad logs, achieving limited integrity impact without affecting confidentiality or availability.

The vulnerability was addressed in version 0.5.0b3.dev77, as detailed in the GitHub security advisory GHSA-ghmw-rwh8-6qmr and the associated commit 4159a1191ec4fe6d927e57a9c4bb8f54e16c381d.

EPSS scores reached a peak of 0.7349 with a current value of 0.6910.

EU & UK References

Vulnerability details

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files…

more

can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pyload
pyload
0.5.0 · ≤ 0.4.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References