CVE-2024-29375 in IBNRSinfo

Summary

by MITRE • 04/04/2024

CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/29/2025

The CSV injection vulnerability identified as CVE-2024-29375 affects Addactis IBNRS version 3.10.3.107, representing a critical security flaw that enables remote code execution through maliciously crafted input data. This vulnerability specifically targets the application's handling of .ibnrs files which are used in project configuration and data processing workflows. The flaw exists in how the system processes user-supplied data within multiple parameter fields including Project Description, Identifiers, Custom Triangle Name within Input Triangles, and Yield Curve Name parameters. When these fields receive specially crafted CSV content, the application fails to properly sanitize or validate the input before processing, creating an avenue for malicious code injection.

The technical exploitation of this vulnerability leverages the inherent characteristics of CSV file parsing where certain characters and sequences can be interpreted as commands by the application's processing engine. Attackers can construct malicious .ibnrs files containing embedded code sequences that, when processed by the vulnerable application, execute arbitrary commands on the target system. This represents a classic server-side code injection vulnerability that operates at the application layer, with potential for privilege escalation depending on the execution context. The vulnerability falls under CWE-94 which categorizes improper control of generation of code, specifically addressing situations where untrusted data is used to generate executable code without proper sanitization.

From an operational perspective, this vulnerability presents significant risk to organizations utilizing Addactis IBNRS for financial data processing and risk management tasks. The remote exploitation capability means attackers can compromise systems without requiring physical access or local credentials, making it particularly dangerous in enterprise environments where such applications handle sensitive financial data and business-critical information. The impact extends beyond simple code execution to potential data exfiltration, system compromise, and disruption of business operations. Organizations relying on this software for actuarial calculations, risk modeling, and financial reporting face potential exposure to unauthorized access and data manipulation.

The attack surface for this vulnerability encompasses any workflow involving .ibnrs file imports or parameter modifications within the specified fields. Security professionals should consider this vulnerability in relation to ATT&CK technique T1059.001 which covers command and scripting interpreter execution, and T1203 which addresses exploitation for privilege escalation. Mitigation strategies should include immediate application patching from the vendor, implementation of input validation controls, and network segmentation to limit access to affected systems. Additionally, organizations should conduct thorough vulnerability assessments of their data processing workflows and implement monitoring for suspicious file upload activities. The vulnerability highlights the importance of proper data sanitization in applications handling structured data formats and underscores the need for comprehensive security testing of file import functionalities in enterprise applications.

Reservation

03/19/2024

Disclosure

04/04/2024

Moderation

accepted

CPE

ready

EPSS

0.01463

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!