CVE-2024-1367OS Command Injection in Security Center

CWE-78OS Command InjectionCWE-306Missing Authentication for Critical FunctionCWE-862Missing AuthorizationCWE-20Improper Input Validation6 documents5 sources
Severity
7.2HIGHNVD
EPSS
5.1%
top 10.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tenable Security Center
Timeline
PublishedFeb 14
Latest updateNov 13

Description

A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5tenable/security_center< 6.3.0

🔴Vulnerability Details

3
GHSA
Missing permission check in Jenkins Script Security Plugin2024-11-13
GHSA
GHSA-mf67-jvr3-xgj9: A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application coul2024-02-15
CVEList
Command Injection Vulnerability in Tenable Security Center2024-02-14

📋Vendor Advisories

2
Red Hat
jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability2024-11-13
Red Hat
kernel: fuse: clear FR_SENT when re-adding requests into pending list2024-06-21
CVE-2024-1367 — OS Command Injection in Security Center | cvebase