CVE-2024-42360

CRITICAL

SequenceServer < 3.1.2 - OS Command Injection via HTTP Endpoint Parameters

Title source: llm

Description

SequenceServer lets you rapidly set up a BLAST+ server with an intuitive user interface for personal or group use. Several HTTP endpoints did not properly sanitize user input and/or query parameters. This could be exploited to inject and run unwanted shell commands. This vulnerability has been fixed in 3.1.2.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/wurmlab/sequenceserver/security/advisories/GHSA-qv32-5wm2-p32h

Patch x_refsource_misc

https://github.com/wurmlab/sequenceserver/commit/457e52709f7f9ed2fceed59b3db564cb50785dba

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0162

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (2)

rubygems/sequenceserver 0 - 3.1.2RubyGems

wurmlab/sequenceserver < 3.1.2

Published Aug 14, 2024

Tracked Since Feb 18, 2026