Skip to content

Authenticated RCE through injecting into the application config via CRLF

High
0xJacky published GHSA-qcjq-7f7v-pvc8 Jan 28, 2024

Package

No package listed

Affected versions

< v2.0.0-beta.11

Patched versions

v2.0.0.beta.12

Description

Summary

Fix bypass to the following bugs

Allowing to inject directly in the app.ini via CRLF to change the value of test_config_cmd and start_cmd resulting in an Authenticated RCE

Impact

Authenticated Remote execution on the host

Severity

High

CVE ID

CVE-2024-23828

Weaknesses

No CWEs

Credits