Code Injection Vulnerabilities in Arduino ESP32 by Espressif
CVE-2024-45798

Currently unrated

Key Information:

Vendor
Espressif
Status
arduino-esp32
Vendor
CVE Published:
17 September 2024

Summary

The Arduino ESP32 core, utilized across various ESP32 microcontrollers, has been found to have multiple vulnerabilities related to code injection and environment variable exploitation. Specifically, flaws within the tests_results.yml workflow enable unauthorized code injection through the GHSL-2024-169 issue, alongside potential untrusted variable injection as outlined in GHSL-2024-170. Although these vulnerabilities have been addressed in recent updates, users are strongly encouraged to verify the integrity of any downloaded artifacts to mitigate risks associated with these exposures.

References

https://github.com/espressif/arduino-esp32/security/advis...
https://codeql.github.com/codeql-query-help/javascript/js...
https://github.com/espressif/arduino-esp32/blob/690bdb511...

Timeline

  • Vulnerability published

.
CVE-2024-45798 : Code Injection Vulnerabilities in Arduino ESP32 by Espressif | SecurityVulnerability.io