CVE-2023-2868

Warnung

EPSS 89.52%
Veröffentlicht 24.05.2023 19:15:09
Zuletzt bearbeitet 24.10.2025 13:54:41
Quelle cve-coordination@google.com
CVE-Watchlists
Login
Unerledigt
Login

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Barracuda ≫ Email Security Gateway 300 Firmware Version >= 5.1.3.001 <= 9.2.0.006

Barracuda ≫ Email Security Gateway 300 Version-

Barracuda ≫ Email Security Gateway 400 Firmware Version >= 5.1.3.001 <= 9.2.0.006

Barracuda ≫ Email Security Gateway 400 Version-

Barracuda ≫ Email Security Gateway 600 Firmware Version >= 5.1.3.001 <= 9.2.0.006

Barracuda ≫ Email Security Gateway 600 Version-

Barracuda ≫ Email Security Gateway 800 Firmware Version >= 5.1.3.001 <= 9.2.0.006

Barracuda ≫ Email Security Gateway 800 Version-

Barracuda ≫ Email Security Gateway 900 Firmware Version >= 5.1.3.001 <= 9.2.0.006

Barracuda ≫ Email Security Gateway 900 Version-

26.05.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Barracuda Networks ESG Appliance Improper Input Validation Vulnerability

Schwachstelle

Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	89.52%	0.995

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cve-coordination@google.com	9.4	3.9	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://status.barracuda.com/incidents/34kx82j5n4q9

Vendor Advisory

https://www.barracuda.com/company/legal/esg-vulnerability

Vendor Advisory

Mitigation

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-2868

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2868

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2868

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-2868

26.05.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog