CVE-2024-33434

Name of the Vulnerable Software and Affected Versions tiagorlampert CHAOS versions before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e tiagorlampert CHAOS version v5.0.1

Description The issue allows a remote attacker to execute arbitrary code via the unsafe concatenation of the filename argument into the buildStr string without any sanitization or filtering. A remote attacker can also execute arbitrary commands via crafted HTTP requests. The BuildClient function within client service.go is also vulnerable.

Recommendations For tiagorlampert CHAOS versions before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e, consider disabling the buildStr string concatenation until a patch is available. For tiagorlampert CHAOS version v5.0.1, restrict access to the BuildClient function within client service.go to minimize the risk of exploitation. Avoid using the filename argument in affected API endpoints until the issue is resolved.