CVE-2024-44809

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-44809

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

A

remote code execution (RCE) vulnerability exists in the Pi Camera project, version 1.0, maintained by RECANTHA. The issue arises from improper sanitization of user input passed to the "position" GET parameter in the tilt.php script. An attacker can exploit this by sending crafted input data that includes malicious command sequences, allowing arbitrary commands to be executed on the server with the privileges of the web server user. This vulnerability is exploitable remotely and poses significant risk if the application is exposed to untrusted networks.

References
Link Resource
https://github.com/recantha/camera-pi/blob/ef018d212288cb16404f0b050593d20f0dc0467b/www/tilt.php#L4
https://jacobmasse.medium.com/cve-2024-44809-remote-code-execution-in-raspberry-pi-camera-project-4b8e3486a628
Configurations

No configuration.

History

04 Sep 2024, 14:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE CWE-20

04 Sep 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de ejecución de código remoto (RCE) en el proyecto Pi Camera, versión 1.0, mantenido por RECANTHA. El problema surge de una desinfección inadecuada de la entrada del usuario que se pasa al parámetro GET "position" en el script tilt.php. Un atacante puede aprovechar esto enviando datos de entrada creados que incluyen secuencias de comandos maliciosas, lo que permite ejecutar comandos arbitrarios en el servidor con los privilegios del usuario del servidor web. Esta vulnerabilidad se puede explotar de forma remota y plantea un riesgo significativo si la aplicación se expone a redes que no son de confianza.

03 Sep 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-03 22:15

Updated : 2024-09-04 14:35

NVD link : CVE-2024-44809

Mitre link : CVE-2024-44809

CVE.ORG link : CVE-2024-44809

JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation