CVE-2024-34060

HIGH

IRIS EVTX Module <1.0.0 - Remote Code Execution via EVTX Filename Handling

Title source: manual

Description

IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/dfir-iris/iris-evtx-module/security/advisories/GHSA-9rw6-5q9j-82fm

Patch x_refsource_misc

https://github.com/dfir-iris/iris-evtx-module/commit/4e45fc94a31e1ee4641d608a387dfd9f9e68dbca

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0100

EPSS Percentile 58.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

dfir-iris/iris-evtx-module < 1.0.0

Published May 23, 2024

Tracked Since Feb 18, 2026