平台
java
组件
pega-infinity
修复版本
24.1.2
CVE-2024-10094 describes an Improper Control of Generation of Code vulnerability affecting Pega Infinity. This flaw could allow an attacker to execute arbitrary code, potentially leading to complete system compromise. The vulnerability impacts versions 6.0 through 24.1.1 of Pega Infinity, and a patch is available in version 24.1.2.
The Improper Control of Code Generation vulnerability in Pega Infinity presents a significant risk. An attacker who successfully exploits this flaw could inject malicious code into the platform's processes, leading to remote code execution (RCE). This could allow them to gain unauthorized access to sensitive data, modify system configurations, install malware, or even take complete control of the affected Pega Infinity instance. The potential blast radius is substantial, as a compromised Pega Infinity deployment could impact numerous downstream applications and business processes that rely on it. The ability to generate arbitrary code opens the door to a wide range of attacks, including data exfiltration, denial of service, and privilege escalation.
CVE-2024-10094 was publicly disclosed on November 20, 2024. The vulnerability's CRITICAL severity (CVSS 9.1) indicates a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits. It is not currently listed on CISA KEV. Active campaigns are not confirmed, but the high severity warrants immediate attention and patching.
Organizations heavily reliant on Pega Infinity for critical business processes are at significant risk. This includes companies in industries such as financial services, healthcare, and government, where data security and system integrity are paramount. Specifically, deployments using custom code generation features or integrations with external systems are particularly vulnerable.
• java / server: Monitor Pega Infinity logs for unusual code generation activity. Look for patterns indicative of code injection attempts.
grep -i 'error|exception|code generation' /path/to/pega/logs/*• java / supply-chain: Examine Pega Infinity's dependencies for known vulnerabilities that could be chained with this vulnerability. Use dependency scanning tools. • generic web: Monitor Pega Infinity endpoints for unexpected behavior or responses that might indicate code execution. • database (mysql, redis, mongodb, postgresql): N/A - This vulnerability is not directly related to database systems. • wordpress / composer / npm: N/A - This vulnerability is not related to these platforms.
disclosure
漏洞利用状态
EPSS
0.39% (60% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-10094 is to upgrade to Pega Infinity version 24.1.2 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct workaround is not specified, restrict access to code generation functionalities to authorized personnel only. Review and audit all code generation processes to identify any potential vulnerabilities. Implement robust input validation and sanitization to prevent malicious code from being injected. After upgrading, confirm the fix by attempting to trigger the vulnerable code generation process with a known malicious payload and verifying that it is blocked.
将 Pega Platform 更新到 24.1.1 之后的版本,其中包含代码生成控制不当漏洞的修复。请参阅 Pega 安全公告以获取有关更新和缓解措施的详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-10094 is a CRITICAL vulnerability affecting Pega Infinity versions 6.0–24.1.1, allowing potential code execution due to improper code generation controls.
If you are using Pega Infinity versions 6.0 through 24.1.1, you are potentially affected by this vulnerability. Upgrade to 24.1.2 or later to mitigate the risk.
The recommended fix is to upgrade to Pega Infinity version 24.1.2 or later. If immediate upgrade is not possible, restrict access to code generation functionalities.
As of now, there are no confirmed reports of active exploitation, but the high severity warrants immediate action and patching.
Refer to the official Pega Platform Security Advisories page for the latest information: [https://www.pega.com/security-advisories](https://www.pega.com/security-advisories)
上传你的 pom.xml 文件,立即知道是否受影响。