Cyber Posture

CVE-2024-55964

Critical

Published: 26 March 2025

Published
26 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4995 97.8th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Unix shell commands and scripts for execution.

Security Summary

CVE-2024-55964 is a remote command execution vulnerability (CWE-94) affecting Appsmith versions before 1.52. The issue arises from an incorrectly configured PostgreSQL instance embedded in the Appsmith Docker container image, enabling arbitrary command execution within the container. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-26T20:15:21.373.

Exploitation requires an attacker to access the Appsmith instance, log in, create a datasource, craft a query against that datasource, and execute it. Successful exploitation grants remote command execution inside the Appsmith Docker container, potentially allowing high confidentiality, integrity, and availability impacts.

Mitigation details are available in the official security advisory at https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m95x-4w54-gc83.

Details

CWE(s)
CWE-94

Affected Products

appsmith
appsmith
≤ 1.52

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The CVE describes a remote code execution flaw in a public-facing web application (Appsmith), directly enabling T1190 for exploitation of public-facing apps; successful exploitation grants arbitrary command execution inside the Linux-based Docker container, mapping to T1059.004 Unix Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References