CVE-2024-41961 CRITICAL

CVE-2024-41961: Elektra vulnerable to remote code execution in universal search

Vendor Sapcc
Product elektra
Weakness CWE-94 · Code injection
Published August 1, 2024
Last update August 7, 2024

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:X/RL:O/RC:C

What the vulnerability does

01Description

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.

Key dates

02Disclosure timeline

August 1, 2024 CVE published
August 7, 2024 Record updated