CVE-2024-23347

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

P

rior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application.

References

Link	Resource
https://www.facebook.com/security/advisories/cve-2024-23347	Vendor Advisory
https://www.facebook.com/security/advisories/cve-2024-23347	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:facebook:meta_spark_studio:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:57

Type	Values Removed	Values Added
References	~~() https://www.facebook.com/security/advisories/cve-2024-23347 - Vendor Advisory~~	() https://www.facebook.com/security/advisories/cve-2024-23347 - Vendor Advisory

Information

Published : 2024-01-16 18:15

Updated : 2025-06-20 18:15

NVD link : CVE-2024-23347

Mitre link : CVE-2024-23347

CVE.ORG link : CVE-2024-23347

JSON object : View

Products Affected

meta_spark_studio

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-23347", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-01-16T18:15:11.267", "references": [{"url": "https://www.facebook.com/security/advisories/cve-2024-23347", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.facebook.com/security/advisories/cve-2024-23347", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application."}, {"lang": "es", "value": "Antes de v176, al abrir un nuevo proyecto, Meta Spark Studio ejecutaba scripts definidos dentro de un archivo package.json incluido como parte de ese proyecto. Esos scripts tendr\u00edan la capacidad de ejecutar c\u00f3digo arbitrario en el sistema como aplicaci\u00f3n."}], "lastModified": "2025-06-20T18:15:28.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:meta_spark_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A2477AC-6870-4B94-B74E-BA1DBEC2F2DD", "versionEndExcluding": "176"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}