CVE-2024-3955

Name of the Vulnerable Software and Affected Versions CraftBeerPi 4 versions 4.0.0.58 through 4.4.1.a1

Description The issue arises from the URL GET parameter logtime being utilized within the "downloadlog" function from "cbpi/http endpoints/http system.py". This parameter is subsequently passed to the os.system function in "cbpi/controller/system controller.py" without prior validation, allowing for the execution of arbitrary code.

Recommendations For CraftBeerPi 4 versions 4.0.0.58 through 4.4.1.a1, update to a version after 4.4.1.a1 to resolve the issue. As a temporary workaround, consider disabling the downloadlog function until a patch is available. Restrict access to the os.system function to minimize the risk of exploitation. Avoid using the logtime parameter in the affected API endpoint until the issue is resolved.