Remote Code Injection Vulnerability in Spider-Flow FunctionService (VDB-249510)

CVE-2024-0195

9.8CRITICAL

Key Information

Vendor: Ssssssss
Status: spider-flow
Vendor: CVE Published:; 2 January 2024

Badges

👾 Exploit Exists🔴 Public PoC🟣 EPSS 93%

Summary

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability.

Affected Version(s)

spider-flow = 0.4.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0195-SpiderFlow
Created by fa-rrel

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Jun 11, 2024
Vulnerability Reserved.
Jan 2, 2024
Vulnerability published.
Jan 2, 2024

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

puppy (VulDB User)