JVN#80506242
awkblog vulnerable to OS command injection
Overview
awkblog provided by Keisuke Nakayama contains an OS command injection vulnerability.
Products Affected
- awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier
Description
awkblog provided by Keisuke Nakayama contains an OS command injection vulnerability (CWE-78).
Impact
If a remote unauthenticated attacker sends a specially crafted HTTP request, an arbitrary OS command may be executed with the privileges of the affected product on the machine running the product.
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patch to address this vulnerability.
- awkblog v0.0.2 (commit hash:13f62021258f7256f1567c4bb5fa6bddcfccde72)
Vendor Status
| Vendor | Link |
| Keisuke Nakayama | Command Injection Vulnerability in awkblog |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Keigo YAMAZAKI of LAC Co., Ltd. / Nuligen Security Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-36360 |
| JVN iPedia |
JVNDB-2024-000056 |