CVE-2024-6645
📋 TL;DR
This critical vulnerability in WuKongOpenSource Wukong_nocode allows remote attackers to execute arbitrary code through insecure deserialization in the AviatorScript Handler component. Any system running Wukong_nocode up to August 7, 2023 is affected. The exploit has been publicly disclosed and can be launched remotely without authentication.
💻 Affected Systems
- WuKongOpenSource Wukong_nocode
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to deploy malware, establish persistence, and exfiltrate sensitive data.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Exploit details are publicly available in GitHub issues, making this easily weaponizable by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - product lacks versioning
Vendor Advisory: https://github.com/WuKongOpenSource/Wukong_nocode/issues/4
Restart Required: Yes
Instructions:
1. Check GitHub repository for updates 2. Replace ExpressionUtil.java with patched version 3. Rebuild and redeploy application 4. Restart all affected services
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to Wukong_nocode instances
iptables -A INPUT -p tcp --dport [WUKONG_PORT] -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="[TRUSTED_NETWORK]" port protocol="tcp" port="[WUKONG_PORT]" accept'
Input Validation
allImplement strict input validation for AviatorScript expressions
# Add validation in ExpressionUtil.java to reject suspicious patterns
# Implement allowlist for safe expression patterns only
🧯 If You Can't Patch
- Immediately isolate affected systems from internet and untrusted networks
- Implement strict network segmentation and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if ExpressionUtil.java file contains insecure deserialization patterns or if build date is before August 2023Check Version:
No standard version command - check file timestamps or repository commit historyVerify Fix Applied:
Verify ExpressionUtil.java has been updated with secure deserialization practices and validate no known exploit patterns work📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors
- Suspicious AviatorScript expression patterns
- Unexpected process spawns from Java application
Network Indicators:
- Unusual outbound connections from Wukong_nocode process
- Exploit pattern traffic to AviatorScript endpoints
SIEM Query:
source="wukong_logs" AND ("ExpressionUtil" OR "deserialization" OR "AviatorScript") AND severity=HIGH🔗 References
- https://github.com/WuKongOpenSource/Wukong_nocode/issues/4
- https://vuldb.com/?ctiid.271051
- https://vuldb.com/?id.271051
- https://vuldb.com/?submit.367349
- https://github.com/WuKongOpenSource/Wukong_nocode/issues/4
- https://vuldb.com/?ctiid.271051
- https://vuldb.com/?id.271051
- https://vuldb.com/?submit.367349
