CVE-2024-48141
Published: 24 October 2024
Summary
CVE-2024-48141 is a high-severity Command Injection (CWE-77) vulnerability in Visualstudio (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Messaging Applications (T1213.005); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: LLM Prompt Injection (AML.T0051).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42935
Vulnerability details
A prompt injection vulnerability in the chatbox of Zhipu AI CodeGeeX v2.17.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Zhipu AI CodeGeeX is an AI coding assistant with a chatbox interface, fitting the Enterprise AI Assistants category due to its role as an interactive AI assistant for enterprise-like coding tasks.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prompt injection vulnerability enables unauthorized access and exfiltration of chat history from the AI assistant's messaging interface, facilitating data collection from messaging applications and discovery of unsecured credentials in chat messages.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.