Full Report
Resource Injection vulnerability (CVE-2024-6051) has been found in Vercom S.A. Redlink SDK.
Analysis Summary
# Vulnerability: Resource Injection in Vercom S.A. Redlink SDK (Potential Code Injection)
## CVE Details
- CVE ID: CVE-2024-6051
- CVSS Score: Not explicitly provided in the source text, assuming a higher score due to code injection potential. (Severity assessment pending official CVSS vector)
- CWE: CWE-99 (Improper Control of Resource Identifiers ('Resource Injection'))
## Affected Systems
- Products: Vercom S.A. Redlink SDK (Software Development Kit)
- Versions: All versions through 1.13
- Configurations: Affects applications utilizing the vulnerable SDK components.
## Vulnerability Description
The vulnerability is classified as a Cross Application Scripting vulnerability, specifically described as an 'Improper Control of Resource Identifiers' or 'Resource Injection' flaw. In specific situations, this flaw allows an attacker to perform **code injection** and subsequently **manipulate the view of a vulnerable application** integrating the Redlink SDK.
## Exploitation
- Status: Undetermined from the source, but classified as a code injection vulnerability, suggesting potential for active exploitation. **(Assuming PoC available based on common disclosure patterns for critical flaws, but not explicitly confirmed.)**
- Complexity: Medium (Requires specific application context/situations)
- Attack Vector: Not explicitly stated, but typically related to input handling within the SDK functions.
## Impact
*(Impact levels are inferred based on the description of code injection and view manipulation)*
- Confidentiality: Potential High (Depending on achievable code execution context)
- Integrity: High (Ability to manipulate application view and execute injected code)
- Availability: Potential Medium/High (If exploited code leads to denial of service)
## Remediation
### Patches
- Specific patch version is **not listed** in the provided text. Users must seek the updated SDK version from Vercom S.A. that supersedes version 1.13.
### Workarounds
- No specific workarounds were detailed in the advisory summary. Developers should restrict external or untrusted data flow into application components utilizing the Redlink SDK functions until patched.
## Detection
- Detection relies on identifying applications that are built using Redlink SDK versions <= 1.13.
- Specific Indicators of Compromise (IOCs) related to the injection payload are not provided in the summary.
## References
- Vendor Advisory: Vercom S.A. (Implied)
- CERT Polska Advisory: [https://cert.pl/en/news/](https://cert.pl/en/news/) (General news/advisory page)
- CVE Record: [https://www.cve.org/CVERecord?id=CVE-2024-6051](https://www.cve.org/CVERecord?id=CVE-2024-6051)
- CVD Process Information: [https://cert.pl/en/cvd/](https://cert.pl/en/cvd/)