CVE-2024-52010

Name of the Vulnerable Software and Affected Versions Zoraxy versions 2.6.1 through 3.1.2

Description A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In the HandleCreateProxySession function, the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible because, unlike hostname and port, the username is not validated or sanitized. If Zoraxy is run without authentication of the management interface or run in Docker with the Docker socket mounted, this vulnerability can be exploited without authentication or to escape the Zoraxy container and gain access to the Docker host.

Recommendations For Zoraxy versions 2.6.1 through 3.1.2, update to a version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the Web SSH feature until a patch is available. Restrict access to the HandleCreateProxySession function to minimize the risk of exploitation. Avoid using the username variable in the affected API endpoint until the issue is resolved. If running Zoraxy in Docker, ensure the Docker socket is not mounted to prevent container escape. If running Zoraxy without authentication, enable authentication for the management interface to prevent unauthorized access.