Lucene search

GitHub Advisory DatabaseGHSA-73V2-RXQP-7Q4F

HistoryMar 29, 2024 - 6:30 p.m.

aliyundrive-webdav vulnerable to Command Injection

2024-03-2918:30:42

CWE-77

GitHub Advisory Database

github.com

aliyundrive-webdav

command injection

remote attacker

arbitrary code

crafted payload

vulnerability

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

Low

EPSS

0.001

Percentile

17.1%

JSON

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.

Affected configurations

Vulners

Node

aliyundrivewebdavRange≤2.3.3

VendorProductVersionCPE
aliyundrivewebdav*cpe:2.3:a:aliyundrive:webdav:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
aliyundrive	webdav	*	cpe:2.3:a:aliyundrive:webdav::::::::

References

aliyundrive-webdav.com

github.com/advisories/GHSA-73v2-rxqp-7q4f

github.com/lakemoon602/vuln/blob/main/detail.md

github.com/messense/aliyundrive-webdav

github.com/messense/aliyundrive-webdav/blob/main/openwrt/luci-app-aliyundrive-webdav/luasrc/controller/aliyundrive-webdav.lua

nvd.nist.gov/vuln/detail/CVE-2024-29640

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

Low

EPSS

0.001

Percentile

17.1%

JSON

Related for GHSA-73V2-RXQP-7Q4F