{"id":"CVE-2024-41961","summary":"Elektra vulnerable to remote code execution in universal search","details":"Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.","aliases":["GHSA-6j2h-486h-487q"],"modified":"2026-04-10T05:16:46.316985Z","published":"2024-08-01T14:33:46.684Z","database_specific":{"cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41961.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41961.json"},{"type":"ADVISORY","url":"https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41961"},{"type":"FIX","url":"https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d"},{"type":"FIX","url":"https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sap-cloud-infrastructure/elektra","events":[{"introduced":"0"},{"fixed":"49aea3b365082681558bf3bf7bf4a51766cfc44d"}]},{"type":"GIT","repo":"https://github.com/sap-cloud-infrastructure/elektra","events":[{"introduced":"0"},{"fixed":"8bce00be93b95a6512ff68fe86bf9554e486bc02"}]}],"versions":["2018.1","2018.2","2018.3","2018.4","2018.5","2018.6","2018.7","2018.8","2022.3","rails-5.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41961.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:X/RL:O/RC:C"}]}