Remote Code Execution (RCE) Affecting org.webjars.bower:angular-base64-upload package, versions [,0.1.22)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Remote Code Execution (RCE) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSBOWER-8235207
  • published21 Oct 2024
  • disclosed11 Oct 2024
  • creditRavindu Wickramasinghe |

Introduced: 11 Oct 2024

CVE-2024-42640  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade org.webjars.bower:angular-base64-upload to version 0.1.22 or higher.

Overview

org.webjars.bower:angular-base64-upload is a Converts files from file input into base64 encoded models.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the server.php endpoint. An attacker can execute arbitrary code on the server by uploading malicious file content that can be accessed and executed via the uploads endpoint.

CVSS Scores

version 4.0
version 3.1