acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/07/13/1 | Mailing List Third Party Advisory |
https://github.com/acmesh-official/acme.sh/issues/4659 | Issue Tracking Third Party Advisory |
https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6 | Release Notes |
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys | Third Party Advisory |
https://news.ycombinator.com/item?id=36252310 | Third Party Advisory |
https://news.ycombinator.com/item?id=36254093 | Third Party Advisory |
https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/ | Third Party Advisory |
Configurations
History
30 Oct 2024, 19:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 |
25 Jul 2023, 14:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:acme.sh_project:acme.sh:*:*:*:*:*:*:*:* | |
CWE | NVD-CWE-noinfo | |
References | (MISC) https://news.ycombinator.com/item?id=36254093 - Third Party Advisory | |
References | (MISC) https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/ - Third Party Advisory | |
References | (MISC) https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys - Third Party Advisory | |
References | (MISC) https://github.com/acmesh-official/acme.sh/issues/4659 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://news.ycombinator.com/item?id=36252310 - Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2023/07/13/1 - Mailing List, Third Party Advisory | |
References | (MISC) https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6 - Release Notes | |
First Time |
Acme.sh Project acme.sh
Acme.sh Project |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
13 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Jul 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-13 03:15
Updated : 2024-10-30 19:35
NVD link : CVE-2023-38198
Mitre link : CVE-2023-38198
CVE.ORG link : CVE-2023-38198
JSON object : View
Products Affected
acme.sh_project
- acme.sh
CWE