CVE-2024-31457
Code injection vulnerability in github.com/flipped-aurora/gin-vue-admin/server
7.7
HIGH
CVSS 3.1
EPSS 0.33%
描述
Gin-vue-admin has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter.
如何修補 CVE-2024-31457
要修補 CVE-2024-31457,請將受影響套件升級到下列已修補版本。
- —升級至 0.0.0-20240409100909-b1b7427c6ea6 或更新版本
- —升級至 0.0.0-20240409100909-b1b7427c6ea6 或更新版本
CVE-2024-31457 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 0.0.0-20240409100909-b1b7427c6ea6
- from 0, < 0.0.0-20240409100909-b1b7427c6ea6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H |
參考連結(6)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31457
- PATCHgithub.com/flipped-aurora/gin-vue-admin
- WEBgithub.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys_auto_code.go:239
- WEBgithub.com/flipped-aurora/gin-vue-admin/commit/b1b7427c6ea6c7a027fa188c6be557f3795e732b