CVE-2024-42167
Published: 12 August 2024
Summary
CVE-2024-42167 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fiware Keyrock. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39457
Vulnerability details
The function "generate_app_certificates" in controllers/saml2/saml2.js of FIWARE Keyrock <= 8.4 does not neutralize special elements used in an OS Command properly. This allows an authenticated user with permissions to create applications to execute commands by creating an application with a…
more
malicious organisationname.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in the generate_app_certificates function, allowing authenticated users with application creation permissions to execute arbitrary OS commands via a malicious organization name.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.