Miggo Logo
Miggo Vulnerability Database
CVE-2024-29640

CVE-2024-29640: aliyundrive-webdav vulnerable to Command Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-29640
GHSA ID
GHSA-73v2-rxqp-7q4f
EPSS Score
0.81933%
CWE
CWE-77
Published
3/29/2024
Updated
3/29/2024
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
aliyundrive-webdavrust<= 2.3.3
aliyundrive-webdavpip<= 2.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the action_query_qrcode handler where the 'sid' parameter from the HTTP request is unsafely interpolated into a shell command. The code executes 'aliyundrive-webdav qr query --sid ' + user_input using luci.sys.exec, which passes the input through system shell interpretation. This allows attackers to inject arbitrary commands by including shell metacharacters in the sid parameter. The provided exploit example demonstrates successful command injection through the sid parameter, and the code structure clearly shows lack of input validation or escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in *liyun*riv*-w****v v.*.*.* *n* ***or* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* * *r**t** p*ylo** to t** si* p*r*m*t*r in t** `**tion_qu*ry_qr*o**` *ompon*nt.

Reasoning

T** vuln*r**ility o**urs in t** **tion_qu*ry_qr*o** **n*l*r w**r* t** 'si*' p*r*m*t*r *rom t** *TTP r*qu*st is uns***ly int*rpol*t** into * s**ll *omm*n*. T** *o** *x**ut*s '*liyun*riv*-w****v qr qu*ry --si* ' + us*r_input usin* lu*i.sys.*x**, w*i**
CVE-2024-29640: AliyunDrive-WebDAV QRCode RCE | Miggo