CVE-2024-39703 ThreatQuotient CVE debrief

Who should care

Organizations using ThreatQuotient ThreatQ Platform for threat intelligence management, SOC teams relying on ThreatQ for indicator enrichment and analysis, security architects designing API security for threat intelligence platforms, and CISOs responsible for third-party security tooling risk assessment.

Technical summary

The ThreatQuotient ThreatQ Platform contains a command injection vulnerability in its API endpoint. An attacker with authenticated access can inject arbitrary commands that execute on the underlying system, resulting in remote code execution. The vulnerability is rated CVSS 3.1 8.8 (HIGH) due to its network accessibility, low complexity, and high impact across confidentiality, integrity, and availability. The attack requires only low privileges and no user interaction. ThreatQuotient has released version 5.29.3 to address this vulnerability.

Defensive priority

critical

Recommended defensive actions

• Upgrade ThreatQ Platform to version 5.29.3 or later immediately
• Restrict network access to ThreatQ Platform API endpoints to authorized administrative hosts only
• Monitor API logs for suspicious command execution patterns or unexpected shell activity
• Review and validate all API input sanitization and command execution paths
• Apply principle of least privilege to ThreatQ Platform user accounts
• Consider network segmentation to isolate ThreatQ Platform from untrusted networks

Evidence notes

CISA ICS advisory ICSA-24-352-01 published December 17, 2024 confirms command injection in ThreatQ Platform API endpoint prior to version 5.29.3. CVSS 3.1 score of 8.8 (HIGH) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network exploitable, low attack complexity, low privileges required, no user interaction, with high impact to confidentiality, integrity, and availability.

Official resources