Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-38889: There's code injection vulnerability of alluxio.util.CommonUtils.getUnixGroups · Issue #17766 · Alluxio/alluxio

An issue in Alluxio v.2.9.3 and before allows an attacker to execute arbitrary code via a crafted script to the username parameter of lluxio.util.CommonUtils.getUnixGroups(java.lang.String).

CVE
Open in Source
#vulnerability#java

Affected Alluxio Version:
All the version before the latest(2.9.3).

Describe the vulnerability
Passing username with special characters of unix shell as parameter of alluxio.util.CommonUtils.getUnixGroups(java.lang.String) can inject malicious commands. For example, the following code
CommonUtils.getUnixGroups(“| echo 123”);
would finally execute bash -c id -gn | echo 123; id -Gn. Therefore malicious code echo 123 is executed.

To Reproduce
Just execute alluxio.util.CommonUtils.getUnixGroups(“| echo 123”) would reproduce it.

Are you planning to fix it
I’ve already submitted a pull request. See #17256.

Related news

GHSA-xrrh-h86w-pwfj: Alluxio vulnerable to arbitrary code execution

An issue in Alluxio v.2.9.3 and before allows an attacker to execute arbitrary code via a crafted script to the username parameter of lluxio.util.CommonUtils.getUnixGroups(java.lang.String).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE