Cyber Resilience

CVE-2024-23738

CriticalPublic PoC

Published: 28 January 2024

Published
28 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1275 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23738 is a critical-severity an unspecified weakness vulnerability in Postman Postman. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-23738 is a remote code execution vulnerability affecting Postman version 10.22 and earlier on macOS. It stems from the application's use of Electron's RunAsNode and enableNodeCliInspectArguments settings, which can be abused to execute arbitrary code.

A remote attacker with no authentication or user interaction required can exploit the flaw over the network to achieve full code execution, corresponding to the reported CVSS 9.8 score. The attack vector relies on the application's configuration allowing Node.js inspection arguments to be passed in a way that bypasses intended restrictions.

Public references point to a GitHub proof-of-concept and an Electron project statement addressing RunAsNode-related CVEs in general. The Postman vendor has disputed the report, stating that the configuration does not actually enable remote code execution.

The EPSS score stands at 0.1275 with no material increase from its peak, and no confirmed real-world exploitation activity is documented in the available references.

EU & UK References

Vulnerability details

An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor states "we dispute the report's accuracy ... the configuration does not enable remote…

more

code execution.."

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

postman
postman
≤ 10.22

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References