CVE Vulnerabilities

CVE-2024-39069

Public cloneable() Method Without Final ('Object Hijack')

Published: Jul 09, 2024 | Modified: Aug 01, 2024

CVSS 3.x

N/A

Source:

NVD

CVSS 2.x

RedHat/V2

RedHat/V3

Ubuntu

Additional information

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-39069
CWE	https://cwe.mitre.org/data/definitions/491.html

An issue in ifood Order Manager v3.35.5 Gestor de Peddios.exe allows attackers to execute arbitrary code via a DLL hijacking attack.

Weakness

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Potential Mitigations

References

Aqua Container Security

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.