CVE-2024-41961 Overview
CVE-2024-41961 is a code injection vulnerability in Elektra, an OpenStack dashboard built on Ruby on Rails for operators and consumers of OpenStack services. The flaw resides in the live search functionality, where user-supplied search terms flow into a Ruby eval sink without proper sanitization. An authenticated attacker can craft a search term containing arbitrary Ruby code that the application executes server-side. The issue is tracked under CWE-94: Improper Control of Generation of Code and was fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.
Critical Impact
Authenticated users can achieve arbitrary Ruby code execution on the Elektra application server through the live search feature, compromising the dashboard and the OpenStack operations it manages.
Affected Products
- Elektra OpenStack Dashboard (sapcc/elektra)
- Versions prior to commit 8bce00be93b95a6512ff68fe86bf9554e486bc02
- Ruby on Rails-based deployments exposing the live search API
Discovery Timeline
- 2024-08-01 - CVE-2024-41961 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-41961
Vulnerability Analysis
Elektra exposes a live search endpoint backed by an API lookup helper in app/controllers/concerns/api_lookup.rb. The helper iterates over a list of search methods, substituting the placeholder :term with the user-supplied query before invoking the corresponding service method. The pre-patch implementation used Marshal.load(Marshal.dump(...)) to clone method parameters, and the search term subsequently reached an eval sink that interpreted the value as Ruby code rather than as a string. An attacker authenticated to Elektra can submit a search term containing Ruby expressions and trigger their execution in the context of the web application.
Root Cause
The root cause is unsafe handling of user input that ultimately reaches a Ruby eval call inside the live search code path. Trusting deserialized parameter structures and passing the raw term string through to a dynamic evaluation context allows arbitrary Ruby expressions to be parsed and run. This is a classic CWE-94 code injection pattern where input intended as data is interpreted as code.
Attack Vector
Exploitation requires network access to the Elektra dashboard and a valid authenticated session, but no user interaction beyond the attacker's own request. The attacker issues a live search request with a crafted term parameter containing Ruby syntax. The injected payload is executed in the Rails process, granting the attacker the privileges of the Elektra application, including access to OpenStack credentials and APIs the dashboard uses.
# Security patch in app/controllers/concerns/api_lookup.rb
# fix(live-search): don't use Marshal Load due to security issues
term = URI.encode_www_form_component(term)
methods.each do |m|
- params = Marshal.load(Marshal.dump(m[:params]))
- params.each do |inner_param|
- if inner_param.is_a?(Hash)
- inner_param.transform_values! { |value| value == ":term" ? term : value }
- elsif inner_param.is_a?(String) && inner_param == ":term"
- inner_param.replace(term)
+ # replace :term in values
+ transformed_params = m[:params].map do |param|
+ if param.is_a?(Hash)
+ param.transform_values { |value| value == ":term" ? term : value }
+ elsif param.is_a?(String) && param == ":term"
+ term.dup
+ else
+ param
end
end
- found_items = service.public_send(m[:method_name], *params)
+ found_items = service.public_send(m[:method_name], *transformed_params)
Source: sapcc/elektra commit 8bce00b. The patch replaces the Marshal.load(Marshal.dump(...)) deep clone with a non-mutating map/transform_values and URI-encodes the term before substitution, preventing the search input from being interpreted as Ruby code.
Detection Methods for CVE-2024-41961
Indicators of Compromise
- Live search requests to Elektra endpoints containing Ruby syntax tokens such as backticks, system(, IO.popen, eval(, %x{, or Kernel.
- Unexpected child processes spawned by the Elektra Rails application user
- Outbound network connections from the Elektra host to unfamiliar destinations following a search request
- Rails application log entries showing eval-related errors or stack traces tied to search controllers
Detection Strategies
- Inspect web server and Rails logs for search term parameters containing non-alphanumeric Ruby operators or method calls
- Alert on process executions whose parent is the Elektra Ruby/Puma process and whose command line is uncommon for normal operation
- Compare deployed Elektra commits against the fixed commit 8bce00be93b95a6512ff68fe86bf9554e486bc02 to identify vulnerable instances
- Review authentication logs for accounts issuing high volumes of live search queries with anomalous payload lengths
Monitoring Recommendations
- Forward Elektra application, web server, and host process telemetry to a centralized analytics platform for correlation
- Baseline normal search query patterns and flag deviations in character distribution and length
- Monitor OpenStack API audit logs for actions originating from the Elektra service account outside expected workflows
How to Mitigate CVE-2024-41961
Immediate Actions Required
- Upgrade Elektra to a build that includes commit 8bce00be93b95a6512ff68fe86bf9554e486bc02 or later
- Rotate any OpenStack credentials, API tokens, and secrets accessible to the Elektra application after patching
- Audit recent live search traffic and Rails logs for evidence of exploitation attempts
- Restrict Elektra dashboard access to trusted networks and enforce strong authentication for all users
Patch Information
The vulnerability is fixed in sapcc/elektra commit 8bce00be93b95a6512ff68fe86bf9554e486bc02, with related changes in commit 49aea3b365082681558bf3bf7bf4a51766cfc44d. Details are published in GitHub Security Advisory GHSA-6j2h-486h-487q.
Workarounds
- Disable or remove the live search endpoint in deployments that cannot apply the patch immediately
- Place a web application firewall (WAF) rule in front of Elektra to block search term values containing Ruby metacharacters
- Limit Elektra accounts to the minimum set of operators required, reducing the population that can reach the authenticated endpoint
# Verify the deployed Elektra commit includes the fix
cd /path/to/elektra
git log --oneline | grep 8bce00be93b95a6512ff68fe86bf9554e486bc02 \
&& echo "Patched" \
|| echo "Vulnerable - upgrade required"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
