CVE-2023-45158
Published: 16 October 2023
Summary
CVE-2023-45158 is a critical-severity OS Command Injection (CWE-78) vulnerability in Web2Py Web2Py. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An OS command injection vulnerability affects web2py versions 2.24.1 and earlier when the application is configured to use notifySendHandler for logging, a non-default setting. The flaw, tracked as CWE-78, allows a crafted web request to inject and execute arbitrary operating system commands on the server hosting the product.
Unauthenticated remote attackers can exploit the issue over the network without user interaction by sending specially formed HTTP requests that reach the logging handler. Successful exploitation grants full control over the web server, enabling arbitrary command execution with impacts to confidentiality, integrity, and availability as reflected in the CVSS 9.8 score.
Public references point to a fix in the web2py repository via commit 936e2260b0c34c44e2f3674a893e96d2a7fad0a3 along with an advisory from JVN. Operators should apply the available patch or upgrade to a corrected release and avoid enabling notifySendHandler unless the update has been deployed. The associated EPSS score has remained flat at 0.1503 with no indicated increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-49465
Vulnerability details
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using…
more
the product.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.