How severe is CVE-2024-49375?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9 out of 10.

What type of vulnerability is CVE-2024-49375?

This is classified as CWE-94, which is a common weakness in software security.

CVE-2024-49375 - CRITICAL Severity | CVSS 9

Vulnerability Description

Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access.

Related Vulnerabilities

CVE-2015-8351

CRITICAL

CVSS:9.0(Critical)

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code vi...

CWE-942015

CVE-2015-8761

CRITICAL

CVSS:9.0(Critical)

The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via th...

CWE-942015

CVE-2018-4031

CRITICAL

CVSS:9.0(Critical)

An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostnam...

CWE-942018

CVE-2019-7610

CRITICAL

CVSS:9.0(Critical)

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could sen...

CWE-942019

CVE-2020-15142

CRITICAL

CVSS:9.0(Critical)

In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitr...

CWE-942020

CVE-2020-9406

CRITICAL

CVSS:9.0(Critical)

IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.

CWE-942020