Lucene search

GoogleOSV:CVE-2023-33965

HistoryJun 01, 2023 - 3:15 p.m.

CVE-2023-33965

2023-06-0115:15:09

Google

osv.dev

cve-2023-33965

brook

programmable network

tproxy server

drive-by command injection

remote code execution

patch

version 20230606

software

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.2

Confidence

Low

EPSS

0.007

Percentile

80.7%

JSON

Brook is a cross-platform programmable network tool. The tproxy server is vulnerable to a drive-by command injection. An attacker may fool a victim into visiting a malicious web page which will trigger requests to the local tproxy service leading to remote code execution. A patch is available in version 20230606.

References

github.com/txthinking/brook/commit/314d7070c37babf6c38a0fe1eada872bb74bf03e

github.com/txthinking/brook/security/advisories/GHSA-vfrj-fv6p-3cpf

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.2

Confidence

Low

EPSS

0.007

Percentile

80.7%

JSON

Related for OSV:CVE-2023-33965