CVE-2024-11858 — OS Command Injection in Radare2

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 88.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Radare2 Radare Radare2

Timeline

PublishedDec 15

Description

A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/radare2< radare2 5.9.8+dfsg-1 (sid)

▶NVDradare/radare25.9.8

🔴Vulnerability Details

GHSA

GHSA-r3c4-qgcj-4qp2: A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application↗2024-12-15

▶

OSV

CVE-2024-11858: A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application↗2024-12-15

▶

📋Vendor Advisories

Debian

CVE-2024-11858: radare2 - A flaw was found in Radare2, which contains a command injection vulnerability ca...↗2024

▶