Fast and Customizable Vulnerability Scanner Affected by Security Oversight
CVE-2024-27920

7.4HIGH

Key Information:

Vendor
Projectdiscovery
Status
Nuclei
Vendor
CVE Published:
15 March 2024

Summary

A significant security issue has been identified in Nuclei, a fast and customizable vulnerability scanner developed by ProjectDiscovery. This problem involves the execution of unsigned code templates through workflows, particularly affecting users who are utilizing custom workflows. The flaw may allow attackers to execute malicious code on the affected systems, posing substantial risks to the integrity and security of user environments. Affected users are encouraged to apply the security patch provided in Nuclei v3.2.0. In the interim, users should avoid executing any unverified custom workflows and only use templates from trusted sources to minimize the risk of exploitation.

Affected Version(s)

nuclei >= 3.0.0, < 3.2.0

References

https://github.com/projectdiscovery/nuclei/security/advis...
x_refsource_CONFIRM
https://github.com/projectdiscovery/nuclei/pull/4822
x_refsource_MISC
https://docs.projectdiscovery.io/templates/protocols/code
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.