PT-2024-16640 · Unknown · Didi Super-Jacoco

Gaogaostone

Published

2024-11-06

Updated

2024-11-08

CVE-2024-10919

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions didi Super-Jacoco version 1.0

Description A critical issue has been found in the software, affecting an unknown functionality of the file /cov/triggerUnitCover. The manipulation of the uuid argument leads to os command injection. This issue can be exploited remotely, potentially allowing system takeover. The exploit has been disclosed publicly.

Recommendations For didi Super-Jacoco version 1.0, patch immediately to prevent os command injection via the uuid parameter in the /cov/triggerUnitCover file. As a temporary workaround, consider restricting access to the /cov/triggerUnitCover file until a patch is available. Verify that there has been no unauthorized access to the system.

Exploit

Fix

Special Elements Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-78

Related Identifiers

CVE-2024-10919

Affected Products

Didi Super-Jacoco

PT-2024-16640 · Unknown · Didi Super-Jacoco

CVE-2024-10919

Weakness Enumeration

Related Identifiers

Affected Products

References · 10