Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2024-32152

CVE-2024-32152:
Ankitects Anki LaTeX Blocklist Bypass vulnerability

3.1

CVSS Score

Basic Information

CVE ID
CVE-2024-32152
GHSA ID
GHSA-q47p-v5rw-v574
EPSS Score
-
CWE
CWE-184
Published
7/22/2024
Updated
8/5/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ankipip< 24.624.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the regex-based command blocklist in _save_latex_image, which was bypassable via hex encoding. The patch removed this security check entirely and replaced it with a configurable toggle, confirming this was the vulnerable component. The CWE-184 classification and commit diff showing removal of security restrictions directly implicate this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *lo*klist *yp*ss vuln*r**ility *xists in t** L*T*X *un*tion*lity o* *nkit**ts *nki **.**. * sp**i*lly *r**t** m*li*ious *l*s***r* **n l*** to *n *r*itr*ry *il* *r**tion *t * *ix** p*t*. *n *tt**k*r **n s**r* * m*li*ious *l*s***r* to tri***r t*is vu

Reasoning

T** vuln*r**ility st*mm** *rom t** r***x-**s** *omm*n* *lo*klist in _s*v*_l*t*x_im***, w*i** w*s *yp*ss**l* vi* **x *n*o*in*. T** p*t** r*mov** t*is s**urity ****k *ntir*ly *n* r*pl**** it wit* * *on*i*ur**l* to**l*, *on*irmin* t*is w*s t** vuln*r**l