CVE-2024-2448

An OS command injection vulnerability has been identified in LoadMaster. An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://progress.com/loadmaster	Broken Link
https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449	Release Notes
https://progress.com/loadmaster	Broken Link
https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:progress:loadmaster:::::ltsf:::*
	cpe:2.3:a:progress:loadmaster:::::ga:::*
	cpe:2.3:a:progress:loadmaster:7.1.35.10::::mt:::
	cpe:2.3:a:progress:loadmaster:7.2.48.10::::lts:::

History

11 Feb 2025, 17:39

Type	Values Removed	Values Added
First Time		Progress Progress loadmaster
CPE		cpe:2.3:a:progress:loadmaster:::::ltsf:::* cpe:2.3:a:progress:loadmaster:7.2.48.10::::lts::: cpe:2.3:a:progress:loadmaster:::::ga:::* cpe:2.3:a:progress:loadmaster:7.1.35.10::::mt:::
References	~~() https://progress.com/loadmaster -~~	() https://progress.com/loadmaster - Broken Link
References	~~() https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449 -~~	() https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449 - Release Notes

Information

Published : 2024-03-22 14:15

Updated : 2025-02-11 17:39

NVD link : CVE-2024-2448

Mitre link : CVE-2024-2448

CVE.ORG link : CVE-2024-2448

JSON object : View

Products Affected

progress

loadmaster

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-2448", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-03-22T14:15:08.683", "references": [{"url": "https://progress.com/loadmaster", "tags": ["Broken Link"], "source": "security@progress.com"}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449", "tags": ["Release Notes"], "source": "security@progress.com"}, {"url": "https://progress.com/loadmaster", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability has been identified in LoadMaster.\u00a0 An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en LoadMaster. Un usuario de UI autenticado con cualquier configuraci\u00f3n de permisos puede inyectar comandos en un componente de UI usando un comando de shell, lo que resulta en la inyecci\u00f3n de comandos del sistema operativo."}], "lastModified": "2025-02-11T17:39:30.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*", "vulnerable": true, "matchCriteriaId": "09E601FC-0D63-44B7-8726-DA512D075139", "versionEndExcluding": "7.2.54.9", "versionStartIncluding": "7.2.49.0"}, {"criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*", "vulnerable": true, "matchCriteriaId": "F95CC892-C725-49BE-AC30-3AB2C1547517", "versionEndExcluding": "7.2.59.3", "versionStartIncluding": "7.2.55.0"}, {"criteria": "cpe:2.3:a:progress:loadmaster:7.1.35.10:*:*:*:mt:*:*:*", "vulnerable": true, "matchCriteriaId": "8F615B26-D735-4A95-9D04-D434B61CFB38"}, {"criteria": "cpe:2.3:a:progress:loadmaster:7.2.48.10:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "8DDDA906-6A2C-4662-B3EC-6406BC32370D"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}