QwikSec

Security Database

CVE

CWE

Training

CVE-2024-12952

Published: Dec 26, 2024

Modified: Dec 26, 2024

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

A vulnerability classified as critical was found in melMass comfy_mtb up to 0.1.4. Affected by this vulnerability is the function run_command of the file comfy_mtb/endpoint.py of the component Dependency Handler. The manipulation leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named d6e004cce2c32f8e48b868e66b89f82da4887dc3. It is recommended to apply a patch to fix this issue.

Vendor	Product	Versions
melMass	comfy_mtb	affected `0.1.0` affected `0.1.1` affected `0.1.2` affected `0.1.3` affected `0.1.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

VDB-289315 | melMass comfy_mtb Dependency endpoint.py run_command code injection

vdb-entry

technical-description

VDB-289315 | CTI Indicators (IOB, IOC, TTP, IOA)

signature

permissions-required

Submit #468683 | comfyui comfy_mtb v0.1.4 Code Injection

third-party-advisory

https://github.com/melMass/comfy_mtb/issues/224

issue-tracking

https://github.com/melMass/comfy_mtb/issues/224#issuecomment-2553432365

issue-tracking

https://github.com/melMass/comfy_mtb/issues/224#issuecomment-2552664778

exploit

issue-tracking

https://github.com/melMass/comfy_mtb/commit/d6e004cce2c32f8e48b868e66b89f82da4887dc3

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.