Arbitrary Command Injection Affecting github.com/tobychui/zoraxy/src/mod/sshprox package, versions >=2.6.0 <3.1.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMTOBYCHUIZORAXYSRCMODSSHPROX-8399969
  • published20 Nov 2024
  • disclosed19 Nov 2024
  • creditNicolas Thumann

Introduced: 19 Nov 2024

CVE-2024-52010  (opens in a new tab)
CWE-77  (opens in a new tab)

How to fix?

Upgrade github.com/tobychui/zoraxy/src/mod/sshprox to version 3.1.3 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Command Injection via the Web SSH feature due to improper username sanitization. The username variable can be used by the attacker to escape from the bash command and inject arbitrary commands into sshCommand.

Note:

If Zoraxy is run without authentication of the management interface (started with -noauth), then exploiting this vulnerability is possible without authentication.

References

CVSS Scores

version 4.0
version 3.1