Platform
java
Component
pega-infinity
Fixed in
24.1.2
CVE-2024-10094 describes an Improper Control of Generation of Code vulnerability affecting Pega Infinity. This flaw could allow an attacker to execute arbitrary code, potentially leading to complete system compromise. The vulnerability impacts versions 6.0 through 24.1.1 of Pega Infinity, and a patch is available in version 24.1.2.
The Improper Control of Code Generation vulnerability in Pega Infinity presents a significant risk. An attacker who successfully exploits this flaw could inject malicious code into the platform's processes, leading to remote code execution (RCE). This could allow them to gain unauthorized access to sensitive data, modify system configurations, install malware, or even take complete control of the affected Pega Infinity instance. The potential blast radius is substantial, as a compromised Pega Infinity deployment could impact numerous downstream applications and business processes that rely on it. The ability to generate arbitrary code opens the door to a wide range of attacks, including data exfiltration, denial of service, and privilege escalation.
CVE-2024-10094 was publicly disclosed on November 20, 2024. The vulnerability's CRITICAL severity (CVSS 9.1) indicates a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits. It is not currently listed on CISA KEV. Active campaigns are not confirmed, but the high severity warrants immediate attention and patching.
Exploit Status
EPSS
0.39% (60% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10094 is to upgrade to Pega Infinity version 24.1.2 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct workaround is not specified, restrict access to code generation functionalities to authorized personnel only. Review and audit all code generation processes to identify any potential vulnerabilities. Implement robust input validation and sanitization to prevent malicious code from being injected. After upgrading, confirm the fix by attempting to trigger the vulnerable code generation process with a known malicious payload and verifying that it is blocked.
Update Pega Platform to a version later than 24.1.1 that includes the fix for the improper control of code generation vulnerability. Refer to the Pega security advisory for specific details on the update and mitigations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10094 is a CRITICAL vulnerability affecting Pega Infinity versions 6.0–24.1.1, allowing potential code execution due to improper code generation controls.
If you are using Pega Infinity versions 6.0 through 24.1.1, you are potentially affected by this vulnerability. Upgrade to 24.1.2 or later to mitigate the risk.
The recommended fix is to upgrade to Pega Infinity version 24.1.2 or later. If immediate upgrade is not possible, restrict access to code generation functionalities.
As of now, there are no confirmed reports of active exploitation, but the high severity warrants immediate action and patching.
Refer to the official Pega Platform Security Advisories page for the latest information: [https://www.pega.com/security-advisories](https://www.pega.com/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.