Lucene search

Japan Vulnerability NotesJVN:80476432

HistoryOct 16, 2023 - 12:00 a.m.

JVN#80476432: web2py vulnerable to OS command injection

2023-10-1600:00:00

Japan Vulnerability Notes

jvn.jp

web2py

os command injection

vulnerability

cwe-78

notifysendhandler

web server

software update

2.24.1

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

37.2%

JSON

web2py web application framework contains an OS command injection vulnerability (CWE-78).

Impact

When web2py is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Products Affected

web2py 2.24.1 and earlier

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

37.2%

JSON

Related for JVN:80476432