Miggo Logo
Miggo Vulnerability Database
CVE-2024-33434

CVE-2024-33434: tiagorlampert CHAOS vulnerable to arbitrary code execution

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-33434
GHSA ID
GHSA-xfjj-f699-rc79
EPSS Score
0.88242%
CWE
CWE-78
Published
5/7/2024
Updated
7/5/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/tiagorlampert/CHAOSgo< 0.0.0-20220716132853-b47438d36e3a0.0.0-20220716132853-b47438d36e3a

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe concatenation of user-controlled 'filename' into a command string (buildStr) that gets executed. The pre-patch code in client_service.go directly used input.Filename without validate(), allowing OS command injection. The patch adds validation (utils.NormalizeString) and input checks, confirming the previous lack of sanitization. The CWE-78 classification and GitHub advisory both explicitly identify command injection via filename parameter as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in ti**orl*mp*rt ***OS ***or* **************************************** *n* **************************************** *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** uns*** *on**t*n*tion o* t** `*il*n*m*` *r*um*nt into t** `*uil*Str

Reasoning

T** vuln*r**ility st*ms *rom uns*** *on**t*n*tion o* us*r-*ontroll** '*il*n*m*' into * *omm*n* strin* (*uil*Str) t**t **ts *x**ut**. T** pr*-p*t** *o** in `*li*nt_s*rvi**.*o` *ir**tly us** `input.*il*n*m*` wit*out `v*li**t*()`, *llowin* OS *omm*n* in