Arbitrary Code Execution Vulnerability in Nuclei Vulnerability Scanner
CVE-2024-40641

7.4HIGH

Key Information:

Vendor: Projectdiscovery
Status: Nuclei
Vendor: CVE Published:; 17 July 2024

Summary

The Nuclei vulnerability scanner, developed by Project Discovery, is affected by a significant flaw that allows the execution of arbitrary commands due to improper handling of code templates. Specifically, users may exploit this vulnerability within web applications that inherit from Nuclei and facilitate user-edited workflow files without enforcing necessary restrictions via the -code option. This vulnerability poses a risk as it enables users to execute potentially malicious commands, affecting system integrity. The issue has been rectified in version 3.3.0, and users are strongly encouraged to upgrade their installations to mitigate risks, as there are no viable workarounds available to address this issue.

Affected Version(s)

nuclei >= 3.0.0, < 3.3.0

References

https://github.com/projectdiscovery/nuclei/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 17, 2024
Vulnerability Reserved
Jul 8, 2024