Main Vulnerability Database Vulnerabilities #VU27048

OS Command Injection in mitmproxy - #VU27048

Published: April 21, 2020

Vulnerability identifier: #VU27048

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: mitmproxy.org

Affected software:
mitmproxy

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to the command generated by "export.clip curl @focus" or "export.file curl @Focus /path/to/file" is not properly escaped. A remote unauthenticated attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

Sources

https://snyk.io/vuln/SNYK-PYTHON-MITMPROXY-565718
https://github.com/mitmproxy/mitmproxy/commit/d027891cec67e190403fc4fa73f17d7a74f02720

OS Command Injection in mitmproxy - #VU27048

Detailed vulnerability description

Remediation

Sources

Please verify you're human