Code Injection in SABnzbd - CVE-2023-34237
Published: December 27, 2023
Vulnerability identifier: #VU84804
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-34237
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SABnzbd
SABnzbd
Software vendor:
SABnzbd
SABnzbd
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when handling parameters settings in the Notification Script functionality. A remote attacker with access to the application's web interface can pass specially crafted parameters and execute arbitrary code on the system.
Note, by default the web interface is accessible without authentication only from localhost.
Remediation
Install updates from vendor's website.
External links
- https://sabnzbd.org/wiki/configuration/4.0/general
- https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r
- https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc
- https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429
- https://security.gentoo.org/glsa/202312-11