CVE-2023-49565
Published: 18 September 2025
Summary
CVE-2023-49565 is a high-severity Command Injection (CWE-77) vulnerability in Nokia (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2023-49565 is a remote command execution vulnerability in the cbis_manager Podman container, specifically affecting the /api/plugins endpoint. The issue stems from improper sanitization of the HTTP headers X-FILENAME, X-PAGE, and X-FIELD, which are passed directly to the subprocess.Popen Python function without validation. This allows command injection, enabling attackers to execute arbitrary commands on the underlying system through crafted header values in an HTTP request. The web service runs with root privileges in the container, granting executed commands elevated access.
An attacker with adjacent network access (AV:A) and high privileges (PR:H) can exploit this with low complexity (AC:L) by sending a malicious HTTP request to the vulnerable endpoint. Successful exploitation leads to remote code execution with root privileges within the container environment, resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across a changed scope (S:C). The vulnerability carries a CVSS v3.1 base score of 8.4 and is associated with CWE-77 (Command Injection).
Nokia's product security advisory for CVE-2023-49565 recommends restricting access to the management network using an external firewall as a partial mitigation. No patches or additional remediation details are specified in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-53521
Vulnerability details
The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint. Improper sanitization of the HTTP Headers X-FILENAME, X-PAGE, and X-FIELD allows for command injection. These headers are directly utilized within the subprocess.Popen Python function without adequate…
more
validation, enabling a remote attacker to execute arbitrary commands on the underlying system by crafting malicious header values within an HTTP request to the affected endpoint. The web service executes with root privileges within the container environment, the demonstrated remote code execution permits an attacker to acquire elevated privileges for the command execution. Restricting access to the management network with an external firewall can partially mitigate this risk.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via command injection in public web endpoint (/api/plugins) using unsanitized headers to Python Popen, enabling arbitrary command execution as root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation and sanitization of untrusted HTTP headers like X-FILENAME, X-PAGE, and X-FIELD to prevent command injection via subprocess.Popen.
Enforces boundary protection to restrict network access to the vulnerable /api/plugins endpoint, aligning with the recommended external firewall mitigation for management networks.
Limits the scope and impact of root-privileged RCE by enforcing least privilege on the cbis_manager containerized web service processes.