Back to search
CVE-2024-3955
Published: May 2, 2024
Modified: Aug 1, 2024
PUBLISHED
Description
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7).
| Vendor | Product | Versions |
|---|---|---|
PiBrewing | CraftBeerPi 4 | affected 4.0.0.58 (commit 563fae9) - < 4.4.1.a1 (commit 57572c7) |
CraftBeerPi - Brewing Controller | CraftBeerPi 4 | affected 4.0.0.58 (commit 563fae9) - <= * |
Weaknesses (CWE)
References
https://cert.pl/en/posts/2024/05/CVE-2024-3955/
third-party-advisory
https://cert.pl/posts/2024/05/CVE-2024-3955/
third-party-advisory
https://github.com/PiBrewing/craftbeerpi4/issues/132
issue-tracking
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now