Description

A remote attacker using the insecure upload functionality will be able to overwrite any Python file and get Remote Code Execution. As for the affected productsmodelsversions, see the reference URL.

Classification

Assigner: ecc0f906-8666-484c-bcf8-c3b7520a72f0

CWE: CWE-276

Links
CPEs
  • toshibatec product version

CVSS

CVSS version: 3.1 Base score: 7.4
Base severity: HIGH Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability score: 1.4 Impact score: 5.9

Can you explain the CVE description?

This CVE description is for a vulnerability with the identifier CVE-2024-27171. The vulnerability allows a remote attacker to exploit insecure upload functionality to overwrite any Python file and achieve Remote Code Execution. The CVSS score for this vulnerability is 7.4, which is considered high severity. The vulnerability is associated with CWE-276. The affected products, models, and versions are not specified in the description but can be found in the reference URLs provided. The status of this CVE is EARLY_WARNING, and it was published on June 14, 2024, with the last modified date also being June 14, 2024. The vulnerability has been assigned a base severity of HIGH and has a CVSS vector of AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The exploitability score is 1.4, and the impact score is 5.9. There are several URLs provided for reference, including links to the Japan Vulnerability Notes (JVN) and Toshibas official information page. The assigner of this CVE is identified as ecc0f906-8666-484c-bcf8-c3b7520a72f0.

How can this vulnerability be part of an attack tree?

This vulnerability can be part of an attack tree by being used as an initial entry point for an attacker to gain unauthorized access to the system. The attacker could exploit the insecure upload functionality to upload a malicious Python file that allows for remote code execution. Once the attacker has successfully uploaded the malicious file, they can execute arbitrary commands on the system, potentially leading to further compromise of sensitive data, disruption of services, or complete takeover of the system. This could result in a significant impact on the confidentiality, integrity, and availability of the affected system.


Generated on: 2024-07-05