CVE-2023-34105

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SRS versions prior to 5.0.157 SRS versions prior to 5.0-b1 SRS versions prior to 6.0.48

Description The issue concerns a drive-by command injection in the api-server server. An attacker can send a request to the "/api/v1/snapshots" endpoint with any commands to be executed as part of the body of the POST request, potentially leading to Remote Code Execution (RCE).

Recommendations For versions prior to 5.0.157, update to version 5.0.157 or later. For versions prior to 5.0-b1, update to version 5.0-b1 or later. For versions prior to 6.0.48, update to version 6.0.48 or later.

Exploit

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

CVE-2023-34105

GHSA-VPR5-779C-CX62

Affected Products

Srs

CVE-2023-34105

Weakness Enumeration

Related Identifiers

Affected Products

References · 6