CVE-2024-41661
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2024-41661 is a critical vulnerability affecting reNgine, an automated reconnaissance framework for web applications. This issue, present in versions 1.2.0 through 2.1.1, allows authenticated attackers to inject arbitrary commands into the system. The vulnerability stems from the WAF detection tool's failure to sanitize the URL query parameter `url` before passing it to `subprocess.check_output`. This endpoint is accessible to any user with an authenticated account, making it easy for attackers to exploit. Since the `subprocess.check_output` command runs as the root user, successful exploitation grants attackers full root access. A patch for the vulnerability is available in commit edd3c85ee16f93804ad38dac5602549d2d30a93e.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.