CVE-2024-8374

NameCVE-2024-8374
DescriptionUltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable to code injection via the 3MF format reader (/plugins/ThreeMFReader.py). The vulnerability arises from improper handling of the drop_to_buildplate property within 3MF files, which are ZIP archives containing the model data. When a 3MF file is loaded in Cura, the value of the drop_to_buildplate property is passed to the Python eval() function without proper sanitization, allowing an attacker to execute arbitrary code by crafting a malicious 3MF file. This vulnerability poses a significant risk as 3MF files are commonly shared via 3D model databases.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cura (PTS)bullseye4.8-4fixed
bookworm4.13.0-1fixed
sid, trixie5.0.0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curasource(unstable)(not affected)

Notes

- cura <not-affected> (Vulnerable code not present)
Introduced by: https://github.com/Ultimaker/Cura/commit/55e5cd8982e266a8b28b062fb113e150aaef815d (5.7.0-beta.1)
Fixed by: https://github.com/Ultimaker/Cura/commit/285a241eb28da3188c977f85d68937c0dad79c50 (5.8.0-beta.1-RC2)
Search for package or bug name: Reporting problems