CVE-2020-12078

Name of the Vulnerable Software and Affected Versions Open-AudIT version 3.3.1

Description An issue was discovered in Open-AudIT where shell metacharacter injection is possible via attributes to an "open-audit/configuration/" URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings, internally referred to as exclude ip. This exclude ip value is passed to the exec function in the discoveries helper.php file, specifically inside the all ip list function, without being filtered. As a result, the attacker can provide a payload instead of a valid IP address.

Recommendations For Open-AudIT version 3.3.1, consider disabling the all ip list function in the discoveries helper.php file as a temporary workaround until a patch is available. Restrict access to the "open-audit/configuration/" URI to minimize the risk of exploitation. Avoid using the exclude ip variable in the global discovery settings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.