Vulnerabilites related to composiohq - composio
CVE-2024-8864 (GCVE-0-2024-8864)
Vulnerability from cvelistv5
Published
2024-09-15 00:31
Modified
2024-09-16 20:20
Severity ?
5.1 (Medium) - CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
5.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Code Injection
Summary
A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| composiohq | composio |
Version: 0.5.0 Version: 0.5.1 Version: 0.5.2 Version: 0.5.3 Version: 0.5.4 Version: 0.5.5 Version: 0.5.6 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:composiohq:composio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "composio",
"vendor": "composiohq",
"versions": [
{
"lessThanOrEqual": "0.5.6",
"status": "affected",
"version": "0.5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8864",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T20:19:37.159622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T20:20:11.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "composio",
"vendor": "composiohq",
"versions": [
{
"status": "affected",
"version": "0.5.0"
},
{
"status": "affected",
"version": "0.5.1"
},
{
"status": "affected",
"version": "0.5.2"
},
{
"status": "affected",
"version": "0.5.3"
},
{
"status": "affected",
"version": "0.5.4"
},
{
"status": "affected",
"version": "0.5.5"
},
{
"status": "affected",
"version": "0.5.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aftersnow (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In composiohq composio bis 0.5.6 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Das betrifft die Funktion Calculator der Datei python/composio/tools/local/mathematical/actions/calculator.py. Durch Manipulation mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.2,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-15T00:31:04.359Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-277501 | composiohq composio calculator.py Calculator code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.277501"
},
{
"name": "VDB-277501 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.277501"
},
{
"name": "Submit #403204 | composiohq composio \u003c=0.5.6 Composio\u0027s Local tools Mathematical has a code injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.403204"
},
{
"tags": [
"exploit"
],
"url": "https://rumbling-slice-eb0.notion.site/Composio-s-Local-tools-Mathematical-has-a-code-injection-risk-in-composiohq-composio-ea0e89ee10fe4edfb9a8cfeed158c765?pvs=4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-09-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-09-14T08:01:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "composiohq composio calculator.py Calculator code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8864",
"datePublished": "2024-09-15T00:31:04.359Z",
"dateReserved": "2024-09-14T05:56:20.856Z",
"dateUpdated": "2024-09-16T20:20:11.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8865 (GCVE-0-2024-8865)
Vulnerability from cvelistv5
Published
2024-09-15 01:00
Modified
2024-09-16 20:19
Severity ?
5.1 (Medium) - CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3.5 (Low) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Path Traversal
Summary
A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\server\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| composiohq | composio |
Version: 0.5.0 Version: 0.5.1 Version: 0.5.2 Version: 0.5.3 Version: 0.5.4 Version: 0.5.5 Version: 0.5.6 Version: 0.5.7 Version: 0.5.8 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:composiohq:composio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "composio",
"vendor": "composiohq",
"versions": [
{
"lessThanOrEqual": "0.5.8",
"status": "affected",
"version": "0.5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8865",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T20:17:25.622622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T20:19:08.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "composio",
"vendor": "composiohq",
"versions": [
{
"status": "affected",
"version": "0.5.0"
},
{
"status": "affected",
"version": "0.5.1"
},
{
"status": "affected",
"version": "0.5.2"
},
{
"status": "affected",
"version": "0.5.3"
},
{
"status": "affected",
"version": "0.5.4"
},
{
"status": "affected",
"version": "0.5.5"
},
{
"status": "affected",
"version": "0.5.6"
},
{
"status": "affected",
"version": "0.5.7"
},
{
"status": "affected",
"version": "0.5.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aftersnow (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\\server\\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in composiohq composio bis 0.5.8 gefunden. Sie wurde als problematisch eingestuft. Dies betrifft die Funktion path der Datei composio\\server\\api.py. Mittels dem Manipulieren des Arguments file mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.7,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-15T01:00:06.013Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-277502 | composiohq composio api.py path path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.277502"
},
{
"name": "VDB-277502 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.277502"
},
{
"name": "Submit #403206 | composiohq composio \u003c=v0.5.8(latest) arbitrary file read",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.403206"
},
{
"tags": [
"exploit"
],
"url": "https://rumbling-slice-eb0.notion.site/There-is-an-arbitrary-file-read-vulnerability-at-api-download-in-composiohq-composio-f0ec1ec26a5f434a97bb1ffde435a35b?pvs=4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-09-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-09-14T08:01:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "composiohq composio api.py path path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8865",
"datePublished": "2024-09-15T01:00:06.013Z",
"dateReserved": "2024-09-14T05:56:25.932Z",
"dateUpdated": "2024-09-16T20:19:08.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}