CVE-2024-53256

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53256
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53256.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53256
Aliases
  • GHSA-5jhc-frm4-p8v9
Published
2024-12-23T16:15:06Z
Modified
2025-01-08T16:27:11.974985Z
Summary
[none]
Details

Rizin is a UNIX-like reverse engineering framework and command-line toolset. rizin.c still had an old snippet of code which suffered a command injection due the usage of rz_core_cmdf to invoke the command m which was removed in v0.1.x. A malicious binary defining bclass (part of RzBinInfo) is executed if rclass (part of RzBinInfo) is set to fs; the vulnerability can be exploited by any bin format where bclass and rclass are user defined. This vulnerability is fixed in 0.7.4.

References

Affected packages

Git / github.com/rizinorg/rizin

Affected ranges

Type
GIT
Repo
https://github.com/rizinorg/rizin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.7.0
v0.7.1