{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-12358","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2024-12-08T20:40:24.617Z","datePublished":"2024-12-09T04:31:11.396Z","dateUpdated":"2024-12-09T19:57:29.558Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2024-12-09T04:31:11.396Z"},"title":"WeiYe-Jing datax-web add os command injection","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-78","lang":"en","description":"OS Command Injection"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"Command Injection"}]}],"affected":[{"vendor":"WeiYe-Jing","product":"datax-web","versions":[{"version":"2.1.1","status":"affected"}]}],"descriptions":[{"lang":"en","value":"A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"Es wurde eine Schwachstelle in WeiYe-Jing datax-web 2.1.1 ausgemacht. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei /api/job/add/. Dank Manipulation des Arguments glueSource mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}}],"timeline":[{"time":"2024-12-08T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2024-12-08T01:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2024-12-08T21:45:35.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"jxp. (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.287277","name":"VDB-287277 | WeiYe-Jing datax-web add os command injection","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.287277","name":"VDB-287277 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.457865","name":"Submit #457865 | https://github.com/WeiYe-Jing/ https://github.com/WeiYe-Jing/datax-web 2.1.1 OS Command Injection","tags":["third-party-advisory"]},{"url":"https://github.com/jxp98/VulResearch/blob/main/2024/12/1.Datax-Web%20-%20Remote%20Code%20Execution.md","tags":["exploit"]}]},"adp":[{"affected":[{"vendor":"weiye-jing","product":"datax-web","cpes":["cpe:2.3:a:weiye-jing:datax-web:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"2.1.1","status":"affected"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-12-09T19:56:17.731965Z","id":"CVE-2024-12358","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-09T19:57:29.558Z"}}]}}