Lucene search

[email protected]NVD:CVE-2023-45158

HistoryOct 16, 2023 - 8:15 a.m.

CVE-2023-45158

2023-10-1608:15:09

CWE-78

[email protected]

web.nvd.nist.gov

vulnerability

web2py

notifysendhandler

logging

web server

os command

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

Affected configurations

Nvd

Node

web2pyweb2pyRange≤2.24.1

VendorProductVersionCPE
web2pyweb2py*cpe:2.3:a:web2py:web2py:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
web2py	web2py	*	cpe:2.3:a:web2py:web2py::::::::

References

web2py.com/

web2py.com/init/default/download

github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3

jvn.jp/en/jp/JVN80476432/

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

Related for NVD:CVE-2023-45158

vulnrichment1 cvelist1 jvn1 cve1 ubuntucve1 prion1 osv1 githubexploit1