CVE-2024-25626 HIGH

CVE-2024-25626: Yocto Project Security Advisory - BitBake/Toaster

Vendor Yoctoproject

Product poky

Weakness CWE-78

Published February 19, 2024

Last update August 28, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2.

Key dates

02Disclosure timeline

February 19, 2024 CVE published

August 28, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-25626 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2024-25626

CWE CWE-78

CVSS 8.8 / HIGH

Affected versions

Vendor Yoctoproject

Product poky

Affected >= 4.3.0, < 4.3.2

Vendor Yoctoproject

Product poky

Affected >= 4.0.0, < 4.0.16

Vendor Yoctoproject

Product poky

Affected < 3.1.31

CVE-2024-25626: Yocto Project Security Advisory - BitBake/Toaster

01Description

02Disclosure timeline

03References

04Related CVE