CVE-2024-34060 (GCVE-0-2024-34060)
Vulnerability from cvelistv5 – Published: 2024-05-23 12:01 – Updated: 2024-08-02 02:42
VLAI?
Title
Arbitrary File Write in IRIS EVTX Pipeline
Summary
IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dfir-iris | iris-evtx-module |
Affected:
< 1.0.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dfir-iris:iris-evtx-module:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "iris-evtx-module",
"vendor": "dfir-iris",
"versions": [
{
"lessThan": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T20:15:05.792610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:11.329Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm"
},
{
"name": "https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iris-evtx-module",
"vendor": "dfir-iris",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T12:01:39.630Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm"
},
{
"name": "https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca"
}
],
"source": {
"advisory": "GHSA-9rw6-5q9j-82fm",
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Write in IRIS EVTX Pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34060",
"datePublished": "2024-05-23T12:01:39.630Z",
"dateReserved": "2024-04-30T06:56:33.380Z",
"dateUpdated": "2024-08-02T02:42:59.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-34060\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-23T12:15:10.807\",\"lastModified\":\"2024-11-21T09:18:00.280\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0.\"},{\"lang\":\"es\",\"value\":\"IrisEVTXModule es un m\u00f3dulo de interfaz para Evtx2Splunk e Iris para ingerir archivos de registro de Microsoft EVTX. El `iris-evtx-module` es un complemento de canalizaci\u00f3n de `iris-web` que procesa archivos EVTX a trav\u00e9s de la aplicaci\u00f3n web IRIS. Durante la carga de un EVTX a trav\u00e9s de esta canalizaci\u00f3n, el nombre del archivo no se maneja de forma segura y puede provocar una escritura de archivo arbitraria. Esto puede conducir a una ejecuci\u00f3n remota de c\u00f3digo (RCE) cuando se combina con una inyecci\u00f3n de plantilla del lado del servidor (SSTI). Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 1.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm\", \"name\": \"https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca\", \"name\": \"https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:42:59.989Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34060\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-24T20:15:05.792610Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:dfir-iris:iris-evtx-module:*:*:*:*:*:*:*:*\"], \"vendor\": \"dfir-iris\", \"product\": \"iris-evtx-module\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-24T20:11:27.192Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Arbitrary File Write in IRIS EVTX Pipeline\", \"source\": {\"advisory\": \"GHSA-9rw6-5q9j-82fm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dfir-iris\", \"product\": \"iris-evtx-module\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm\", \"name\": \"https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca\", \"name\": \"https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-23T12:01:39.630Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-34060\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:42:59.989Z\", \"dateReserved\": \"2024-04-30T06:56:33.380Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-23T12:01:39.630Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…