CVE-2024-54661 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
dest-unreach	socat	𝑥 ≤ 1.8.0.1	ADP

Debian Releases

Debian Product

Codename

socat

bookworm	unimportant
bullseye	unimportant
forky	1.8.1.0-2 fixed
sid	1.8.1.0-2 fixed
trixie	1.8.0.3-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

socat

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

http://www.dest-unreach.org/socat/contrib/socat-secadv9.html

https://repo.or.cz/socat.git/blob/6ff391324d2d3b9f6bfb58e7d16a20be43b47af7:/readline.sh#l29