Passbolt Api Remote code execution

2024-05-2016:51:28

CWE-78

GitHub Advisory Database

github.com

passbolt

api

remote code execution

installation stage

pgp key

bash code injection

security vulnerability

software

7 High

AI Score

Confidence

High

JSON

Passbolt provides a way for system administrators to generate a PGP key for the server during installation. The wizard requests a username, an e-mail address and an optional comment. No escaping or verification is done by Passbolt, effectively allowing a user to inject bash code.

The impact is very high, but the probability is very low given that this vulnerability can only be exploited during Passbolt’s installation stage.

Affected configurations

Vulners

Node

passboltpassbolt_apiRange<2.7.0

CPENameOperatorVersion
passbolt/passbolt_apilt2.7.0

CPE	Name	Operator	Version
	passbolt/passbolt_api	lt	2.7.0

References

github.com/advisories/GHSA-cv5c-2qv5-w2m2

github.com/FriendsOfPHP/security-advisories/blob/master/passbolt/passbolt_api/2019-02-11-1.yaml

github.com/passbolt/passbolt_api/commit/be84671676ebac43d49e326a14f1afe259777611

www.passbolt.com/incidents/20190211_multiple_vulnerabilities

7 High

AI Score

Confidence

High

JSON