CVE-2024-56333 CRITICAL

CVE-2024-56333: Remote code execution in onyxia-api

Vendor Inseefrlab
Product onyxia
Weakness CWE-94 · Code injection
Published December 20, 2024
Last update December 24, 2024

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential consequences such as unauthorized access to other user environments and denial of service attacks. This issue has been patched in api versions 4.2.0, 3.1.1, and 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

December 20, 2024 CVE published
December 24, 2024 Record updated