How severe is CVE-2024-3924?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.4 out of 10.

What type of vulnerability is CVE-2024-3924?

This is classified as CWE-94, which is a common weakness in software security.

CVE-2024-3924 - MEDIUM Severity | CVSS 4.4

Vulnerability Description

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.

Related Vulnerabilities

CVE-2017-1336

MEDIUM

CVSS:4.4(Medium)

IBM Infosphere BigInsights 4.2.0 could allow an attacker to inject code that could allow access to restricted data and files. IBM X-Force ID: 126244.

CWE-942017

CVE-2021-25411

MEDIUM

CVSS:4.4(Medium)

Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root privileged local attackers to write read-only kernel memory.

CWE-942021

CVE-2023-32546

MEDIUM

CVSS:4.4(Medium)

Code injection vulnerability exists in Chatwork Desktop Application (Mac) 2.6.43 and earlier. If this vulnerability is exploited, a non-administrative user of the Mac where the product is installed ma...

CWE-942023

CVE-2023-6494

MEDIUM

CVSS:4.4(Medium)

The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sani...

CWE-942023

CVE-2024-51330

MEDIUM

CVSS:4.4(Medium)

An issue in UltiMaker Cura v.4.41 and 5.8.1 and before allows a local attacker to execute arbitrary code via Inter-process communication (IPC) mechanism between Cura application and CuraEngine process...

CWE-942024

CVE-2025-2867

MEDIUM

CVSS:4.4(Medium)

An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate...

CWE-942025