CRITICAL🇵🇱 Wersja polska

CVE-2024-38887

CVSS 9.8v3.1pub. 2024-08-02upd. 2026-07-05

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating system from the database due to the execution of commands with unnecessary privileges.

🤖 AI Analysis
How it works

The vulnerability results from executing system commands with unnecessary (redundant) privileges in the database context. An attacker can remotely, over the network, pass malicious input data that is passed to the system shell without proper validation or sanitization. As a result, it is possible to break out of the database context and take control of the server's operating system.

Impact

An attacker can gain full control over the operating system of the server running Caterease, enabling data read, modification or deletion, as well as further actions within the victim's infrastructure (lateral movement).

Mitigation & patch

Apply patches available from the vendor according to references. It is recommended to restrict network access to the Caterease server exclusively to trusted hosts (firewall, network segmentation) and review the permissions under which the database service operates to apply the principle of least privilege.

Who is affected

Horizoncloud Caterease in versions from 16.0.1.1663 to 24.0.1.2405 inclusive, and possibly later versions as well.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Horizoncloud Caterease

    APP
    Horizoncloud
    16.0.1.1663 – 24.0.1.2405
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2024-38883CRITICAL9.1PL ✓ten sam produkt

Caterease: obniżenie poziomu szyfrowania przez wybór słabszego algorytmu

CVE-2024-38886CRITICAL9.8PL ✓ten sam produkt

Traffic Injection w Horizoncloud Caterease – brak weryfikacji źródła komunikacji

CVE-2024-38889CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Horizoncloud Caterease — zdalne wykonanie zapytań

CVE-2024-38882CRITICAL9.8PL ✓ten sam produkt

SQL Injection umożliwiający command injection w Horizoncloud Caterease

CVE-2024-38891HIGH7.5ten sam produkt

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versio...