Command Injection Vulnerability in Rizin Framework
CVE-2024-53256

7.8HIGH

Key Information:

Vendor

Rizinorg

Status
Rizin
Vendor
CVE Published:
23 December 2024

What is CVE-2024-53256?

The Rizin Framework, a UNIX-like reverse engineering toolset, contains a vulnerability stemming from an insecure code snippet in rizin.c related to command execution. Specifically, the vulnerable code allows an attacker to exploit user-defined binary class attributes, enabling the execution of a malicious binary if certain conditions are met. When rclass is set to fs, it can trigger malicious behavior if it interacts with a crafted binary containing defined bclass attributes. This vulnerability is addressed in version 0.7.4 and emphasizes the importance of updating to the latest version to mitigate potential exploits.

Affected Version(s)

rizin < 0.7.4

References

https://github.com/rizinorg/rizin/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/rizinorg/rizin/commit/db6c5b39c065ce71...
x_refsource_MISC
https://github.com/rizinorg/rizin/blob/be24ca8879ed9c58f2...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.