CVE-2024-56137

MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged‌ users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85	Exploit Vendor Advisory
https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*

History

No history.

Information

Published : 2025-01-02 15:15

Updated : 2025-08-01 20:15

NVD link : CVE-2024-56137

Mitre link : CVE-2024-56137

CVE.ORG link : CVE-2024-56137

JSON object : View

Products Affected

maxkb

maxkb

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-56137", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2025-01-02T15:15:24.283", "references": [{"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-76w2-2g72-cg85", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged\u200c users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0."}, {"lang": "es", "value": "MaxKB, acr\u00f3nimo de Max Knowledge Base, es un sistema de preguntas y respuestas de base de conocimiento de c\u00f3digo abierto basado en un modelo de lenguaje grande y generaci\u00f3n aumentada por recuperaci\u00f3n (RAG). Antes de la versi\u00f3n 1.9.0, exist\u00eda una vulnerabilidad de ejecuci\u00f3n remota de comandos en el m\u00f3dulo de la biblioteca de funciones. La vulnerabilidad permit\u00eda a los usuarios privilegiados ejecutar comandos del sistema operativo en scripts personalizados. La vulnerabilidad se ha corregido en la versi\u00f3n 1.9.0."}], "lastModified": "2025-08-01T20:15:27.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:maxkb:maxkb:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "AA0EB089-62E2-4661-BF79-4CA43FB94D1A", "versionEndExcluding": "1.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}