CVE-2024-22836
Published: 08 February 2024
Summary
CVE-2024-22836 is a critical-severity OS Command Injection (CWE-78) vulnerability in Akaunting Akaunting. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Akaunting versions 3.1.3 and earlier contain an OS command injection vulnerability tracked as CVE-2024-22836 and assigned CWE-78. The flaw carries a CVSS 3.1 score of 9.8 and permits an unauthenticated remote attacker to execute arbitrary system commands on the underlying server by manipulating the company locale value supplied during app installation.
An attacker needs only network access to the Akaunting instance and the ability to trigger an app install; by supplying a crafted locale string the attacker can inject and execute operating-system commands, resulting in full confidentiality, integrity, and availability impact on the host.
The Akaunting project addressed the issue in release 3.1.4, available at the project’s GitHub repository. Administrators should upgrade immediately and verify that locale-handling code paths no longer accept untrusted input during installation flows. The associated EPSS score has remained flat at 0.38 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-20366
Vulnerability details
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in Akaunting web app enables remote exploitation of a public-facing application (T1190) to execute arbitrary system commands (T1059).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.