Cyber Resilience

CVE-2023-40582

CriticalRCE

Published: 30 August 2023

Published
30 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0512 90.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40582 is a critical-severity OS Command Injection (CWE-78) vulnerability in Find-Exec Project Find-Exec. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

find-exec is a utility for discovering available shell commands on a system. Versions prior to 1.0.3 contain a command injection vulnerability (CWE-78) because user input is not properly escaped before being passed to a shell, allowing an attacker-controlled parameter to inject arbitrary commands. The issue received a CVSS score of 9.8 and affects any application that incorporates the package without additional safeguards.

An unauthenticated remote attacker can supply malicious input to trigger execution of arbitrary shell commands in the context of the running process, potentially leading to full compromise of confidentiality, integrity, and availability. Exploitation requires no user interaction or special privileges and can be performed over the network.

The referenced GitHub Security Advisory GHSA-95rp-6gqp-6622 and associated commit recommend upgrading to version 1.0.3. Users who cannot upgrade are advised to ensure that all input passed to find-exec originates from a trusted source. The EPSS score has remained low with only minor fluctuation between its current value of 0.0512 and peak of 0.0684.

EU & UK References

Vulnerability details

find-exec is a utility to discover available shell commands. Versions prior to 1.0.3 did not properly escape user input and are vulnerable to Command Injection via an attacker controlled parameter. As a result, attackers may run malicious shell commands in…

more

the context of the running process. This issue has been addressed in version 1.0.3. users are advised to upgrade. Users unable to upgrade should ensure that all input passed to find-exec comes from a trusted source.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

find-exec project
find-exec
≤ 1.0.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References