Platform
python
Component
cbpi4
Fixed in
4.4.1.a1 (commit 57572c7)
4.4.1.a1
CVE-2024-3955 is a critical Remote Code Execution (RCE) vulnerability discovered in CraftBeerPi cbpi4. This flaw allows attackers to execute arbitrary code by manipulating the 'logtime' URL parameter within the 'downloadlog' function. The vulnerability impacts versions of cbpi4 up to and including 4.4.0, but has been resolved in version 4.4.1.a1.
The impact of CVE-2024-3955 is severe. An attacker can leverage this vulnerability to gain complete control over a vulnerable CraftBeerPi cbpi4 instance. This could involve modifying system configurations, stealing sensitive data (such as brewing recipes, user credentials, or API keys), installing malware, or using the compromised system as a launchpad for further attacks on the network. The ability to execute arbitrary code effectively grants the attacker root-level access, enabling them to compromise the entire system and potentially other connected devices.
CVE-2024-3955 was publicly disclosed on May 2, 2024. While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
0.46% (64% percentile)
CVSS Vector
The primary mitigation for CVE-2024-3955 is to immediately upgrade CraftBeerPi cbpi4 to version 4.4.1.a1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious values in the 'logtime' parameter. Additionally, restrict access to the 'downloadlog' endpoint to trusted networks or users. Monitor system logs for unusual activity related to the 'downloadlog' function. After upgrading, confirm the fix by attempting to access the 'downloadlog' endpoint with a crafted 'logtime' parameter and verifying that the request is rejected.
Update CraftBeerPi 4 to version 4.4.1.a1 or later. This corrects the arbitrary code execution vulnerability caused by the lack of validation in the 'logtime' parameter of the 'downloadlog' function. The update ensures that the parameter is validated correctly before passing it to the 'os.system' function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3955 is a critical Remote Code Execution vulnerability in CraftBeerPi cbpi4 versions up to 4.4.0. It allows attackers to execute arbitrary code via an unvalidated URL parameter.
You are affected if you are running CraftBeerPi cbpi4 version 4.4.0 or earlier. Version 4.4.1.a1 contains the fix.
Upgrade CraftBeerPi cbpi4 to version 4.4.1.a1 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target for attackers.
Refer to the CraftBeerPi GitHub repository and release notes for the latest information and advisory regarding CVE-2024-3955.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.