An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
References
Link | Resource |
---|---|
http://web2py.com/ | Product |
http://web2py.com/init/default/download | Product |
https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3 | Patch |
https://jvn.jp/en/jp/JVN80476432/ | Third Party Advisory |
http://web2py.com/ | Product |
http://web2py.com/init/default/download | Product |
https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3 | Patch |
https://jvn.jp/en/jp/JVN80476432/ | Third Party Advisory |
Configurations
History
21 Nov 2024, 08:26
Type | Values Removed | Values Added |
---|---|---|
References | () http://web2py.com/ - Product | |
References | () http://web2py.com/init/default/download - Product | |
References | () https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3 - Patch | |
References | () https://jvn.jp/en/jp/JVN80476432/ - Third Party Advisory |
18 Oct 2023, 19:58
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:web2py:web2py:*:*:*:*:*:*:*:* | |
CWE | CWE-78 | |
References | (MISC) http://web2py.com/ - Product | |
References | (MISC) https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3 - Patch | |
References | (MISC) http://web2py.com/init/default/download - Product | |
References | (MISC) https://jvn.jp/en/jp/JVN80476432/ - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Web2py web2py
Web2py |
16 Oct 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-16 08:15
Updated : 2024-11-21 08:26
NVD link : CVE-2023-45158
Mitre link : CVE-2023-45158
CVE.ORG link : CVE-2023-45158
JSON object : View
Products Affected
web2py
- web2py
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')