VDB-306395 · CVE-2025-4032 · Issue 38

inclusionAI AWorld har 8c257626e648d98d793dd9a1a950c2af4dd84c4e shell_tool.py subprocess.run/subprocess.Popen kura hakki ndiyam

Hakika vulnerability da aka rarraba a matsayin kura an gano a inclusionAI AWorld har 8c257626e648d98d793dd9a1a950c2af4dd84c4e. Tabbas, aikin subprocess.run/subprocess.Popen ne ke da matsala; idan ba a bayyana ba, to aiki ce da ba a sani ba, a cikin laburare $software_library, a cikin fayil AWorld/aworld/virtual_environments/terminals/shell_tool.py, a cikin sashi $software_component. Wuro manipulation ga kura hakki ndiyam. Amfani da CWE wajen bayyana matsala yana kaiwa CWE-78. Lalle, rauni an sanar da shi 04/28/2025 tare da StarMap Team of Legendsec at QI-ANXIN Group da 38. Ana samun bayanin tsaro don saukewa a github.com. Ana kiran wannan rauni da CVE-2025-4032. Ngam yiɗi ka a tuma ndiyam ka nder waya. Bayani na fasaha ga. Kuma, akwai exploit. Exploit ɗin an bayyana wa jama'a, za a iya amfani da shi. A sa'i, exploit might be approx. USD $0-$5k ndiyam. Á yí huɗɗi-na-gaskiya. Za a iya samun exploit a github.com. 0-day ga, an ndiyam a wuro be $0-$5k. Ana amfani da rolling release a wannan kayi domin ci gaba da isar da sabuntawa. Saboda haka, babu bayanan sigar da abin ya shafa ko sabunta sigar da ake da su. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

3 Goyarwa · 117 Datenpunkte

Furɗe	Súgá 04/28/2025 08:01	Gargadi 1/2 04/30/2025 11:12	Gargadi 2/2 05/10/2025 06:11
cvss3_vuldb_rl	X	X	X
cvss4_vuldb_at	N	N	N
cvss4_vuldb_pr	L	L	L
cvss4_vuldb_sc	N	N	N
cvss4_vuldb_si	N	N	N
cvss4_vuldb_sa	N	N	N
cvss2_vuldb_basescore	4.6	4.6	4.6
cvss2_vuldb_tempscore	4.1	4.1	4.1
cvss3_vuldb_basescore	5.0	5.0	5.0
cvss3_vuldb_tempscore	4.7	4.7	4.7
cvss3_meta_basescore	5.0	5.0	6.0
cvss3_meta_tempscore	4.7	4.7	5.9
cvss4_vuldb_bscore	2.3	2.3	2.3
cvss4_vuldb_btscore	1.3	1.3	1.3
advisory_date	1745791200 (04/28/2025)	1745791200 (04/28/2025)	1745791200 (04/28/2025)
price_0day	$0-$5k	$0-$5k	$0-$5k
software_vendor	inclusionAI	inclusionAI	inclusionAI
software_name	AWorld	AWorld	AWorld
software_version	<=8c257626e648d98d793dd9a1a950c2af4dd84c4e	<=8c257626e648d98d793dd9a1a950c2af4dd84c4e	<=8c257626e648d98d793dd9a1a950c2af4dd84c4e
software_rollingrelease	1	1	1
software_file	AWorld/aworld/virtual_environments/terminals/shell_tool.py	AWorld/aworld/virtual_environments/terminals/shell_tool.py	AWorld/aworld/virtual_environments/terminals/shell_tool.py
software_function	subprocess.run/subprocess.Popen	subprocess.run/subprocess.Popen	subprocess.run/subprocess.Popen
vulnerability_cwe	CWE-78 (kura hakki ndiyam)	CWE-78 (kura hakki ndiyam)	CWE-78 (kura hakki ndiyam)
vulnerability_risk	2	2	2
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	H	H	H
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rc	C	C	C
advisory_identifier	38	38	38
advisory_url	https://github.com/inclusionAI/AWorld/issues/38	https://github.com/inclusionAI/AWorld/issues/38	https://github.com/inclusionAI/AWorld/issues/38
advisory_confirm_url	https://github.com/inclusionAI/AWorld/issues/38#issuecomment-2806190923	https://github.com/inclusionAI/AWorld/issues/38#issuecomment-2806190923	https://github.com/inclusionAI/AWorld/issues/38#issuecomment-2806190923
exploit_availability	1	1	1
exploit_publicity	1	1	1
exploit_url	https://github.com/inclusionAI/AWorld/issues/38#issue-2996574433	https://github.com/inclusionAI/AWorld/issues/38#issue-2996574433	https://github.com/inclusionAI/AWorld/issues/38#issue-2996574433
source_cve	CVE-2025-4032	CVE-2025-4032	CVE-2025-4032
cna_responsible	VulDB	VulDB	VulDB
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	H	H	H
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	C	C	C
cvss4_vuldb_av	N	N	N
cvss4_vuldb_ac	H	H	H
cvss4_vuldb_ui	N	N	N
cvss4_vuldb_vc	L	L	L
cvss4_vuldb_vi	L	L	L
cvss4_vuldb_va	L	L	L
cvss4_vuldb_e	P	P	P
cvss2_vuldb_au	S	S	S
cvss2_vuldb_rl	ND	ND	ND
cvss3_vuldb_pr	L	L	L
company_name		StarMap Team of Legendsec at QI-ANXIN Group	StarMap Team of Legendsec at QI-ANXIN Group
cve_nvd_summary			A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtual_environments/terminals/shell_tool.py. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
cve_nvd_summaryes			Se encontró una vulnerabilidad en inclusionAI AWorld hasta 8c257626e648d98d793dd9a1a950c2af4dd84c4e. Se ha clasificado como crítica. Este problema afecta a la función subprocess.run/subprocess.Popen del archivo AWorld/aworld/virtual_environments/terminals/shell_tool.py. La manipulación provoca la inyección de comandos del sistema operativo. El ataque puede iniciarse remotamente. Es un ataque de complejidad bastante alta. Parece difícil de explotar. Se ha hecho público el exploit y puede que sea utilizado. Este producto no utiliza control de versiones. Por ello, no hay información disponible sobre las versiones afectadas y no afectadas.
cvss4_cna_av			N
cvss4_cna_ac			H
cvss4_cna_at			N
cvss4_cna_pr			L
cvss4_cna_ui			N
cvss4_cna_vc			L
cvss4_cna_vi			L
cvss4_cna_va			L
cvss4_cna_sc			N
cvss4_cna_si			N
cvss4_cna_sa			N
cvss4_cna_bscore			2.3
cvss3_cna_av			N
cvss3_cna_ac			H
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cvss3_cna_basescore			5
cvss3_nvd_av			N
cvss3_nvd_ac			H
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss3_nvd_basescore			8.1
cvss2_cna_av			N
cvss2_cna_ac			H
cvss2_cna_au			S
cvss2_cna_ci			P
cvss2_cna_ii			P
cvss2_cna_ai			P
cvss2_cna_basescore			4.6

◂ Gurɗo Gumti Gada ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!