Cyber Resilience

CVE-2023-47105

HighRCE

Published: 18 September 2024

Published
18 September 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.3081 96.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47105 is a high-severity OS Command Injection (CWE-78) vulnerability in Notion (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Chaosblade versions 0.3 through 1.7.3 contain a command injection vulnerability in the exec.CommandContext function when the tool runs in server mode. The flaw, tracked as CWE-78, permits unauthenticated OS command execution through the cmd parameter supplied to the executor.

An attacker with network access can submit crafted requests to the Chaosblade server and execute arbitrary operating-system commands without authentication, resulting in limited confidentiality impact alongside high integrity impact and limited availability impact according to the CVSS 8.6 rating.

The two referenced resources consist of a direct link to the vulnerable executor.go code path and a Notion page documenting the remote command execution issue; neither source supplies mitigation steps, patch details, or upgrade guidance. The associated EPSS score has remained at 0.3081 without a documented rise from a lower baseline.

EU & UK References

Vulnerability details

exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Notion
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References