PT-2024-17566 · Weiye Jing · Datax-Web

Jxp

Published

2024-12-09

Updated

2024-12-10

CVE-2024-12358

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WeiYe-Jing datax-web version 2.1.1

Description A critical issue has been found, affecting an unknown part of the file "/api/job/add/". The manipulation of the glueSource argument leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Recommendations For WeiYe-Jing datax-web version 2.1.1, as a temporary workaround, consider disabling access to the "/api/job/add/" endpoint until a patch is available. Restrict the use of the glueSource argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2024-12358

Affected Products

Datax-Web

PT-2024-17566 · Weiye Jing · Datax-Web

CVE-2024-12358

Weakness Enumeration

Related Identifiers

Affected Products

References · 10