CVE-2023-41331 (GCVE-0-2023-41331)
Vulnerability from cvelistv5 – Published: 2023-09-12 19:57 – Updated: 2024-09-25 19:52
VLAI?
Summary
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully
crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.
Severity ?
9.8 (Critical)
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:33.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86"
},
{
"name": "https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T19:50:36.021749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T19:52:21.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sofa-rpc",
"vendor": "sofastack",
"versions": [
{
"status": "affected",
"version": "\u003c 5.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully\ncrafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T19:57:57.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86"
},
{
"name": "https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0"
}
],
"source": {
"advisory": "GHSA-chv2-7hxj-2j86",
"discovery": "UNKNOWN"
},
"title": "SOFARPC Remote Command Execution (RCE) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41331",
"datePublished": "2023-09-12T19:57:57.437Z",
"dateReserved": "2023-08-28T16:56:43.367Z",
"dateUpdated": "2024-09-25T19:52:21.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.11.0\", \"matchCriteriaId\": \"ED8774FC-A1D7-4754-884F-E05FDDA111EE\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully\\ncrafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.\"}, {\"lang\": \"es\", \"value\": \"SOFARPC es un framework de Java RPC. Las versiones anteriores a la 5.11.0 son vulnerables a la ejecuci\\u00f3n remota de comandos. A trav\\u00e9s de un payload manipulado, un atacante puede lograr la inyecci\\u00f3n JNDI o la ejecuci\\u00f3n de comandos del sistema. En la configuraci\\u00f3n predeterminada del framework SOFARPC, se utiliza una lista negra para filtrar las clases peligrosas encontradas durante el proceso de deserializaci\\u00f3n. Sin embargo, la lista negra no es exhaustiva y un actor puede explotar ciertas clases nativas de JDK y paquetes comunes de terceros para construir cadenas de dispositivos capaces de lograr ataques de inyecci\\u00f3n JNDI o ejecuci\\u00f3n de comandos del sistema. La versi\\u00f3n 5.11.0 contiene una soluci\\u00f3n para este problema. Como workaround, los usuarios pueden agregar `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` a la lista negra.\"}]",
"id": "CVE-2023-41331",
"lastModified": "2024-11-21T08:21:05.483",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-09-12T20:15:09.980",
"references": "[{\"url\": \"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-917\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-41331\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-12T20:15:09.980\",\"lastModified\":\"2024-11-21T08:21:05.483\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully\\ncrafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.\"},{\"lang\":\"es\",\"value\":\"SOFARPC es un framework de Java RPC. Las versiones anteriores a la 5.11.0 son vulnerables a la ejecuci\u00f3n remota de comandos. A trav\u00e9s de un payload manipulado, un atacante puede lograr la inyecci\u00f3n JNDI o la ejecuci\u00f3n de comandos del sistema. En la configuraci\u00f3n predeterminada del framework SOFARPC, se utiliza una lista negra para filtrar las clases peligrosas encontradas durante el proceso de deserializaci\u00f3n. Sin embargo, la lista negra no es exhaustiva y un actor puede explotar ciertas clases nativas de JDK y paquetes comunes de terceros para construir cadenas de dispositivos capaces de lograr ataques de inyecci\u00f3n JNDI o ejecuci\u00f3n de comandos del sistema. La versi\u00f3n 5.11.0 contiene una soluci\u00f3n para este problema. Como workaround, los usuarios pueden agregar `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` a la lista negra.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-917\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.11.0\",\"matchCriteriaId\":\"ED8774FC-A1D7-4754-884F-E05FDDA111EE\"}]}]}],\"references\":[{\"url\":\"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\", \"name\": \"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\", \"name\": \"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:01:33.602Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41331\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-25T19:50:36.021749Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-25T19:51:53.923Z\"}}], \"cna\": {\"title\": \"SOFARPC Remote Command Execution (RCE) Vulnerability\", \"source\": {\"advisory\": \"GHSA-chv2-7hxj-2j86\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"sofastack\", \"product\": \"sofa-rpc\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.11.0\"}]}], \"references\": [{\"url\": \"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\", \"name\": \"https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\", \"name\": \"https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully\\ncrafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-917\", \"description\": \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-12T19:57:57.437Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-41331\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-25T19:52:21.360Z\", \"dateReserved\": \"2023-08-28T16:56:43.367Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-12T19:57:57.437Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…