CVE-2023-31039

EPSS 0.32%
Published 08.05.2023 09:15:09
Last modified 21.11.2024 08:01:18
Source security@apache.org
Teams watchlist Login
Open Login

Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file.
An attacker that can influence the ServerOptions pid_file parameter with which the bRPC server is started can execute arbitrary code with the permissions of the bRPC process.

Solution:
1. upgrade to bRPC >= 1.5.0, download link:  https://dist.apache.org/repos/dist/release/brpc/1.5.0/ https://dist.apache.org/repos/dist/release/brpc/1.5.0/ 
2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch:  https://github.com/apache/brpc/pull/2218 https://github.com/apache/brpc/pull/2218

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Brpc Version >= 0.9.0 < 1.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.32%	0.547

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.openwall.com/lists/oss-security/2023/05/08/1

Patch

Third Party Advisory

Mailing List

https://lists.apache.org/thread/jqpttrqbc38yhckgp67xk399hqxnz7jn

Patch

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-31039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31039

EUVD