Home > Vulnerability Database > CVE-2024-38396

Mend.io Vulnerability Database

CVE-2024-38396

Date: June 15, 2024

An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395.

Language: Objective-C

Severity Score

9.8

Related Resources (6)

Url: https://iterm2.com/downloads.html

Url: https://gitlab.com/gnachman/iterm2/-/commit/fc60236a914d63fb70a5c632e211203a4f1bd4dd

Url: http://www.openwall.com/lists/oss-security/2024/06/17/1

Url: https://vin01.github.io/piptagole/escape-sequences/iterm2/rce/2024/06/16/iterm2-rce-window-title-tmux-integration.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38396

Url: https://www.mend.io/vulnerability-database/CVE-2024-38396

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38396

Date: June 15, 2024

Language: Objective-C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?