CRITICAL🇵🇱 Wersja polska

CVE-2024-38462

CVSS 9.8v3.1pub. 2024-06-16upd. 2024-11-21

iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.

🤖 AI Analysis
How it works

The msiSendMail function implemented in the mailMS.cpp file calls an external mail program without proper verification of its path or identity. According to CWE-426, an attacker can substitute a malicious binary under the name mail by manipulating the PATH environment variable or by providing an appropriate file in a searched location. Since the attack is possible remotely without authentication (AV:N, PR:N, UI:N), it can be exploited for privilege escalation or arbitrary code execution in the context of the iRODS process.

Impact

An attacker can gain full control over the iRODS server, which includes confidentiality, integrity, and availability of the system — all three aspects rated as HIGH in the CVSS vector.

Mitigation & patch

iRODS should be updated to version 4.3.2 or later, in which the issue was resolved according to the release information published by the vendor (https://irods.org/2024/05/irods-4-3-2-is-released/).

Who is affected

iRODS (Integrated Rule-Oriented Data System) versions before 4.3.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Irods

    APP
    Irods
    < 4.3.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2017-8799CRITICAL9.8ten sam produkt

Untrusted input execution via igetwild in all iRODS versions before 4.1.11 and 4.2.1 allows other iRODS users ...

CVE-2024-38461HIGH7.5ten sam produkt

irodsServerMonPerf in iRODS before 4.3.2 attempts to proceed with use of a path even if it is not a directory.

CVE-2012-5895HIGH10.0ten sam produkt

Multiple unspecified vulnerabilities in iRODS before 3.1 have unknown impact and attack vectors.