CVE-2024-31457
Code injection vulnerability in github.com/flipped-aurora/gin-vue-admin/server
7.7
HIGH
CVSS 3.1
EPSS 0.33%
Description
Gin-vue-admin has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter.
How to fix CVE-2024-31457
To remediate CVE-2024-31457, upgrade the affected package to a fixed version below.
- —upgrade to 0.0.0-20240409100909-b1b7427c6ea6 or later
- —upgrade to 0.0.0-20240409100909-b1b7427c6ea6 or later
Is CVE-2024-31457 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.0.0-20240409100909-b1b7427c6ea6
- from 0, < 0.0.0-20240409100909-b1b7427c6ea6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H |
References (6)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31457
- PATCHgithub.com/flipped-aurora/gin-vue-admin
- WEBgithub.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys_auto_code.go:239
- WEBgithub.com/flipped-aurora/gin-vue-admin/commit/b1b7427c6ea6c7a027fa188c6be557f3795e732b