CVE-2023-31039

EPSS 0.32%
Veröffentlicht 08.05.2023 09:15:09
Zuletzt bearbeitet 21.11.2024 08:01:18
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file.
An attacker that can influence the ServerOptions pid_file parameter with which the bRPC server is started can execute arbitrary code with the permissions of the bRPC process.

Solution:
1. upgrade to bRPC >= 1.5.0, download link:  https://dist.apache.org/repos/dist/release/brpc/1.5.0/ https://dist.apache.org/repos/dist/release/brpc/1.5.0/ 
2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch:  https://github.com/apache/brpc/pull/2218 https://github.com/apache/brpc/pull/2218

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Brpc Version >= 0.9.0 < 1.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.547

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.openwall.com/lists/oss-security/2023/05/08/1

Patch

Third Party Advisory

Mailing List

https://lists.apache.org/thread/jqpttrqbc38yhckgp67xk399hqxnz7jn

Patch

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-31039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31039

EUVD