CVE-2023-45158

2023-10-1608:15:09

Google

osv.dev

vulnerability

web2py

command injection

notifysendhandler

arbitrary execution

web server

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.2%

JSON

An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

CPENameOperatorVersion
web2pyeqR-2.22.4
web2pyeqR-2.10.4
web2pyeqR-2.15.1
web2pyeqR-2.9.6
web2pyeqR-2.9.5
web2pyeq2.19.2
web2pyeqR-2.4.3
web2pyeqR-2.4.4
web2pyeqR-2.9.9
web2pyeqR-2.0.9

Name	Operator	Version
web2py	eq	R-2.22.4
web2py	eq	R-2.10.4
web2py	eq	R-2.15.1
web2py	eq	R-2.9.6
web2py	eq	R-2.9.5
web2py	eq	2.19.2
web2py	eq	R-2.4.3
web2py	eq	R-2.4.4
web2py	eq	R-2.9.9
web2py	eq	R-2.0.9