Cyber Resilience

CVE-2023-45158

CriticalRCE

Published: 16 October 2023

Published
16 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1503 94.7th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45158 is a critical-severity OS Command Injection (CWE-78) vulnerability in Web2Py Web2Py. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An OS command injection vulnerability affects web2py versions 2.24.1 and earlier when the application is configured to use notifySendHandler for logging, a non-default setting. The flaw, tracked as CWE-78, allows a crafted web request to inject and execute arbitrary operating system commands on the server hosting the product.

Unauthenticated remote attackers can exploit the issue over the network without user interaction by sending specially formed HTTP requests that reach the logging handler. Successful exploitation grants full control over the web server, enabling arbitrary command execution with impacts to confidentiality, integrity, and availability as reflected in the CVSS 9.8 score.

Public references point to a fix in the web2py repository via commit 936e2260b0c34c44e2f3674a893e96d2a7fad0a3 along with an advisory from JVN. Operators should apply the available patch or upgrade to a corrected release and avoid enabling notifySendHandler unless the update has been deployed. The associated EPSS score has remained flat at 0.1503 with no indicated increase after disclosure.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using…

more

the product.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

web2py
web2py
≤ 2.24.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References