CVE-2024-54794
Published: 21 January 2025
Summary
CVE-2024-54794 is a critical-severity Command Injection (CWE-77) vulnerability in Eng Spagobi. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-54794 affects SpagoBI version 3.5.1, where the script input feature enables arbitrary code execution. This vulnerability, published on 2025-01-21, is classified under CWE-77 (Command Injection) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.
Exploitation requires network access, low complexity, and high privileges (PR:H) but no user interaction. A privileged attacker can leverage the script input feature to execute arbitrary code, achieving high-impact effects with a scope change (S:C), which could result in full compromise of the affected system.
Research on the vulnerability, including potential exploitation details, is documented in the following GitHub repositories: https://github.com/MarioTesoro/CVE-2024-54794 and https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-54794. No official patches or mitigation guidance from vendor advisories is detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52672
Vulnerability details
The script input feature of SpagoBI 3.5.1 allows arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes command injection in public-facing SpagoBI web app script input, directly enabling T1190 exploitation and T1059 arbitrary command/script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection in the script input feature by validating all user-supplied inputs for malicious content.
Remediates the specific command injection flaw in SpagoBI 3.5.1 through timely patching or vendor-recommended mitigations.
Enforces least functionality by disabling or restricting the vulnerable script input feature when not essential for operations.