Lucene search

GoogleOSV:CVE-2023-49102

HistoryNov 22, 2023 - 10:15 p.m.

CVE-2023-49102

2023-11-2222:15:08

Google

osv.dev

nzbget

remote code execution

authenticated

unarchive programs

7za

unrar

executable file permissions

control capability

sevenzipcommand

unrarcmd

unsupported products

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

NZBGet 21.1 allows authenticated remote code execution because the unarchive programs (7za and unrar) preserve executable file permissions. An attacker with the Control capability can execute a file by setting the value of SevenZipCommand or UnrarCmd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CPENameOperatorVersion
nzbgeteq17.0
nzbgeteq20.0-r2176
nzbgeteq18.0-r1865
nzbgeteq20.0-r2181
nzbgeteq20.0-r2159
nzbgeteq17.0-r1735
nzbgeteq19.1
nzbgeteq17.1-r1756
nzbgeteq21.1
nzbgeteq17.0-r1726

Name	Operator	Version
nzbget	eq	17.0
nzbget	eq	20.0-r2176
nzbget	eq	18.0-r1865
nzbget	eq	20.0-r2181
nzbget	eq	20.0-r2159
nzbget	eq	17.0-r1735
nzbget	eq	19.1
nzbget	eq	17.1-r1756
nzbget	eq	21.1
nzbget	eq	17.0-r1726

Rows per page:

1-10 of 501

References

nzbget.net/download

sec.maride.cc/posts/nzbget/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

Related for OSV:CVE-2023-49102