CVE-2024-23738
Published: 28 January 2024
Summary
CVE-2024-23738 is a critical-severity an unspecified weakness vulnerability in Postman Postman. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-23738 is a remote code execution vulnerability affecting Postman version 10.22 and earlier on macOS. It stems from the application's use of Electron's RunAsNode and enableNodeCliInspectArguments settings, which can be abused to execute arbitrary code.
A remote attacker with no authentication or user interaction required can exploit the flaw over the network to achieve full code execution, corresponding to the reported CVSS 9.8 score. The attack vector relies on the application's configuration allowing Node.js inspection arguments to be passed in a way that bypasses intended restrictions.
Public references point to a GitHub proof-of-concept and an Electron project statement addressing RunAsNode-related CVEs in general. The Postman vendor has disputed the report, stating that the configuration does not actually enable remote code execution.
The EPSS score stands at 0.1275 with no material increase from its peak, and no confirmed real-world exploitation activity is documented in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21194
Vulnerability details
An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor states "we dispute the report's accuracy ... the configuration does not enable remote…
more
code execution.."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.