← Volver a CVEs

CVE-2026-29042

CRITICAL

9.8

Descripcion

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado3/6/2026

Ultima modificacion3/10/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

iguazio:nuclio

Debilidades (CWE)

CWE-75

Referencias

https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a(security-advisories@github.com)

https://github.com/nuclio/nuclio/pull/4030(security-advisories@github.com)

https://github.com/nuclio/nuclio/releases/tag/1.15.20(security-advisories@github.com)

https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.