CVE-2024-10094: 
NixOS vulnerability analysis and mitigation

Pega Platform versions 6.x to Infinity 24.1.1 are affected by a critical vulnerability related to Improper Control of Generation of Code (CVE-2024-10094). The vulnerability was discovered by Daniel Wiseman from Commonwealth Bank of Australia and was disclosed on November 20, 2024. This security issue affects multiple versions of the Pega Platform software suite (Pega Advisory).

The vulnerability has been assigned a CVSS Rating of 9.1 (Critical). The issue involves improper control of generation of code that may allow an attacker to craft code in such a way that it will alter the intended control flow of the product. This vulnerability extends a previous advisory (A22) by addressing additional use cases and allowing java injection protection to be controlled by administrators rather than just developers (Pega Advisory).

The vulnerability is classified as Critical, as it could potentially allow attackers to manipulate the product's control flow through crafted code. As of the disclosure date, Pega has stated they are not aware of any clients being compromised as a result of this vulnerability (Pega Advisory).

Pega has released multiple hotfixes for versions 8.1.9 through 24.1.1, including specific patch releases (23.1.4, 24.1.2, and 24.2). For Pega Cloud clients, environments are being proactively remediated through Cloud Maintenance cases. On-premises or client-managed cloud clients need to apply the appropriate hotfixes available through My Security Hotfixes on My Pega. A system restart is required for the hotfix changes to take effect. Pega strongly recommends clients running versions 6.x, 7.x, and 8.x to upgrade to the latest patch versions (Pega Advisory).