Name of the Vulnerable Software and Affected Versions:

tiagorlampert CHAOS version 5.0.1

tiagorlampert CHAOS versions before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e

Description:

The issue allows a remote attacker to execute arbitrary code via the `BuildClient` function within `client service.go`. This is due to the lack of measures to neutralize special elements used in the operating system command. The exploitation of this issue may allow a remote attacker to execute arbitrary code. A remote attacker can also execute arbitrary commands via crafted HTTP requests.

Recommendations:

For tiagorlampert CHAOS version 5.0.1, consider disabling the `BuildClient` function within `client service.go` until a patch is available.

For tiagorlampert CHAOS versions before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e, update to a version that includes the necessary security fixes to prevent the unsafe concatenation of the `filename` argument into the `buildStr` string.

As a temporary workaround, restrict access to the `client service.go` file to minimize the risk of exploitation.

Avoid using the `filename` argument in the affected `buildStr` string until the issue is resolved.