CVE-2024-22891
Published: 01 March 2024
Summary
CVE-2024-22891 is a critical-severity Open Redirect (CWE-601) vulnerability in Nteract Nteract. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Nteract version 0.28.0 contains a remote code execution vulnerability that can be triggered through a specially crafted Markdown link. The flaw is tracked as CVE-2024-22891 with a CVSS 3.1 base score of 9.8 and is associated with CWE-601. The affected component is the Markdown rendering and link-handling logic within the desktop notebook application.
An unauthenticated attacker can supply a malicious Markdown document containing a crafted link. When the file is opened in Nteract, the vulnerability allows arbitrary code execution on the victim system without requiring user interaction beyond viewing the document, resulting in full confidentiality, integrity, and availability impact.
Public proof-of-concept code demonstrating the issue has been published on GitHub. The current EPSS score stands at 0.3943 with an identical recorded peak, indicating sustained exploitation interest since disclosure. No official vendor advisory or patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0846
Vulnerability details
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-22891 enables remote code execution in the Nteract desktop client application via a crafted Markdown link, facilitating Exploitation for Client Execution (T1203).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.