CVE-2024-52010

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.

CVSS

No CVSS.

References

Link	Resource
https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6
https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0
https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j

Configurations

No configuration.

History

13 Nov 2024, 17:01

Type	Values Removed	Values Added
Summary		(es) Zoraxy es una herramienta de reenvío y proxy inverso HTTP de propósito general. Una vulnerabilidad de inyección de comandos en la función Web SSH permite a un atacante autenticado ejecutar comandos arbitrarios como superusuario en el host. Zoraxy tiene una función de terminal Web SSH que permite a los usuarios autenticados conectarse a servidores SSH desde sus navegadores. En HandleCreateProxySession se maneja la solicitud para crear una sesión SSH. Un atacante puede explotar la variable de nombre de usuario para escapar del comando bash e inyectar comandos arbitrarios en sshCommand. Esto es posible porque, a diferencia del nombre de host y el puerto, el nombre de usuario no se valida ni se desinfecta.

12 Nov 2024, 19:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 0.0

12 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-12 17:15

Updated : 2024-11-13 17:01

NVD link : CVE-2024-52010

Mitre link : CVE-2024-52010

CVE.ORG link : CVE-2024-52010

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-52010", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.6, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-12T17:15:10.370", "references": [{"url": "https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6", "source": "security-advisories@github.com"}, {"url": "https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0", "source": "security-advisories@github.com"}, {"url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized."}, {"lang": "es", "value": "Zoraxy es una herramienta de reenv\u00edo y proxy inverso HTTP de prop\u00f3sito general. Una vulnerabilidad de inyecci\u00f3n de comandos en la funci\u00f3n Web SSH permite a un atacante autenticado ejecutar comandos arbitrarios como superusuario en el host. Zoraxy tiene una funci\u00f3n de terminal Web SSH que permite a los usuarios autenticados conectarse a servidores SSH desde sus navegadores. En HandleCreateProxySession se maneja la solicitud para crear una sesi\u00f3n SSH. Un atacante puede explotar la variable de nombre de usuario para escapar del comando bash e inyectar comandos arbitrarios en sshCommand. Esto es posible porque, a diferencia del nombre de host y el puerto, el nombre de usuario no se valida ni se desinfecta."}], "lastModified": "2024-11-13T17:01:58.603", "sourceIdentifier": "security-advisories@github.com"}