216.73.217.174

CVE-2024-8374

· Published 03/09/2024 10:15 · Modified 16/09/2024 16:44

Labels: CVE-2024-8374 2024-09-03596c5446-0ce5-4ba2-aa66-48b3b757a647CVE-2024-8374CWE-94

Essential information

Published
03/09/2024 10:15
Modified
16/09/2024 16:44
Author
Creator
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable to code injection via the 3MF format reader (/plugins/ThreeMFReader.py). The vulnerability arises from improper handling of the drop_to_buildplate property within 3MF files, which are ZIP archives containing the model data. When a 3MF file is loaded in Cura, the value of the drop_to_buildplate property is passed to the Python eval() function without proper sanitization, allowing an attacker to execute arbitrary code by crafting a malicious 3MF file. This vulnerability poses a significant risk as 3MF files are commonly shared via 3D model databases.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
596c5446-0ce5-4ba2-aa66-48b3b757a647
NVD
View on NVD

Affected products (CPE)

ProductCPE
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.7.0:-:*:*:*:*:*:*
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.7.0:beta1:*:*:*:*:*:*
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.7.1:*:*:*:*:*:*:*
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.7.2:rc2:*:*:*:*:*:*
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.8.0:beta1:*:*:*:*:*:*
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.8.0:beta1_rc1:*:*:*:*:*:*
ultimaker / ultimaker cura cpe:2.3:a:ultimaker:ultimaker_cura:5.8.0:beta1_rc2:*:*:*:*:*:*

References