Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd596c5446-0ce5-4ba2-aa66-48b3b757a647NVD:CVE-2024-8374
HistorySep 03, 2024 - 10:15 a.m.

CVE-2024-8374

2024-09-0310:15:06
CWE-94
596c5446-0ce5-4ba2-aa66-48b3b757a647
web.nvd.nist.gov
4
ultimaker cura
code injection
3mf files

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.6%

JSON

UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable to code injection via the 3MF format reader (/plugins/ThreeMFReader.py). The vulnerability arises from improper handling of the drop_to_buildplate property within 3MF files, which are ZIP archives containing the model data. When a 3MF file is loaded in Cura, the value of the drop_to_buildplate property is passed to the Python eval() function without proper sanitization, allowing an attacker to execute arbitrary code by crafting a malicious 3MF file. This vulnerability poses a significant risk as 3MF files are commonly shared via 3D model databases.

Affected configurations

Nvd
Node
ultimakerultimaker_curaMatch5.7.0-
OR
ultimakerultimaker_curaMatch5.7.0beta1
OR
ultimakerultimaker_curaMatch5.7.1
OR
ultimakerultimaker_curaMatch5.7.2rc2
OR
ultimakerultimaker_curaMatch5.8.0beta1
OR
ultimakerultimaker_curaMatch5.8.0beta1_rc1
OR
ultimakerultimaker_curaMatch5.8.0beta1_rc2
VendorProductVersionCPE
ultimakerultimaker_cura5.7.0cpe:2.3:a:ultimaker:ultimaker_cura:5.7.0:-:*:*:*:*:*:*
ultimakerultimaker_cura5.7.0cpe:2.3:a:ultimaker:ultimaker_cura:5.7.0:beta1:*:*:*:*:*:*
ultimakerultimaker_cura5.7.1cpe:2.3:a:ultimaker:ultimaker_cura:5.7.1:*:*:*:*:*:*:*
ultimakerultimaker_cura5.7.2cpe:2.3:a:ultimaker:ultimaker_cura:5.7.2:rc2:*:*:*:*:*:*
ultimakerultimaker_cura5.8.0cpe:2.3:a:ultimaker:ultimaker_cura:5.8.0:beta1:*:*:*:*:*:*
ultimakerultimaker_cura5.8.0cpe:2.3:a:ultimaker:ultimaker_cura:5.8.0:beta1_rc1:*:*:*:*:*:*
ultimakerultimaker_cura5.8.0cpe:2.3:a:ultimaker:ultimaker_cura:5.8.0:beta1_rc2:*:*:*:*:*:*

Related

debiancve 1
osv 1
cve 1
vulnrichment 1
cvelist 1
debiancve
debiancve
CVE-2024-8374
2024-09-03 10:15:06
osv
osv
CVE-2024-8374
2024-09-03 10:15:06
cve
cve
CVE-2024-8374
2024-09-03 10:15:06
vulnrichment
vulnrichment
CVE-2024-8374 Arbitrary Code Injection in Cura
2024-09-03 10:01:12
cvelist
cvelist
CVE-2024-8374 Arbitrary Code Injection in Cura
2024-09-03 10:01:12

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.6%

JSON
Related for NVD:CVE-2024-8374
debiancve1osv1cve1vulnrichment1cvelist1