Home > Vulnerability Database > CVE-2024-25626

Mend.io Vulnerability Database

CVE-2024-25626

Good to know:

Date: February 19, 2024

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2.

Language: Python

Severity Score

8.8

Related Resources (3)

Url: https://github.com/yoctoproject/poky/security/advisories/GHSA-75xw-78mm-72r4

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-25626

Url: https://www.mend.io/vulnerability-database/CVE-2024-25626

Severity Score

8.8

Weakness Type (CWE)

OS Command Injections

CWE-78

Top Fix

Upgrade Version

Upgrade to version yocto-3.1.31,yocto-4.0.16,yocto-4.3.2

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-25626

Good to know:

Date: February 19, 2024

Language: Python

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?