CVE-2024-25626

Name of the Vulnerable Software and Affected Versions Yocto Project versions prior to 5.0 Yocto Project versions 3.1.x through 3.1.30 Yocto Project versions 4.0.x through 4.0.15 Yocto Project versions 4.3.x through 4.3.1 Bitbake versions prior to 2.6.2

Description The issue is related to missing input validation in the Toaster server, which is included in Bitbake. This allows an attacker to perform remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary for the attack. The Toaster server is not the default for Bitbake command line builds and is only used for the Toaster web-based user interface to Bitbake.

Recommendations For Yocto Project versions prior to 5.0, update to version 5.0 or later. For Yocto Project versions 3.1.x through 3.1.30, update to version 3.1.31 or later. For Yocto Project versions 4.0.x through 4.0.15, update to version 4.0.16 or later. For Yocto Project versions 4.3.x through 4.3.1, update to version 4.3.2 or later. For Bitbake versions prior to 2.6.2, update to version 2.6.2 or later. As a temporary workaround, consider disabling the Toaster server until a patch is available. Restrict access to the Toaster web-based user interface to minimize the risk of exploitation.