OS command injection in Ghidra
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-22671 |
| CWE-ID | CWE-676 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Ghidra Universal components / Libraries / Software for developers |
| Vendor | National Security Agency |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Use of Potentially Dangerous Function
EUVDB-ID: #VU72163
Risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-22671
CWE-ID:
CWE-676 - Use of Potentially Dangerous Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Ghidra client application on Linux and macOS uses the eval command for processing arguments passed to the launch.ch script to start the application. A remote attacker can pass specially crafted input to the application and execute arbitrary OS commands on the system.
Note, the vulnerability can be exploited against the Ghidra client application running as a service on a remote machine and passed untrusted input directly as a Ghidra command line argument.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGhidra: 9.0.0 - 10.2.2
External linkshttp://github.com/NationalSecurityAgency/ghidra/pull/4872
http://github.com/NationalSecurityAgency/ghidra/issues/4869
http://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-cqfj-5crw-rh6p
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
