CVE-2023-32637
published 2023-07-25CVE-2023-32637: GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.98%
57.9th percentile
GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gbrowse | < gbrowse 2.56+dfsg-1 (bookworm) | gbrowse 2.56+dfsg-1 (bookworm) |
| generic_model_organism_database_project | gbrowse | — | — |
| generic_model_organism_database_project | gbrowse | >= 0 < 2.56+dfsg-1 | 2.56+dfsg-1 |
| generic_model_organism_database_project | gbrowse | >= 0 < 2.56+dfsg-1 | 2.56+dfsg-1 |
| generic_model_organism_database_project | gbrowse | >= 0 < 2.56+dfsg-1 | 2.56+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →GBrowse allows unauthenticated web requests to access uploaded files of any format; monitor web-accessible upload directories for script files (e.g., .pl, .cgi, .php) that could enable remote code execution ↗
- ·The vulnerability is fixed in GBrowse version 2.56+dfsg-1 on Debian bookworm, bullseye, and trixie; systems running older versions remain exploitable ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jffq-5gqv-qfcx: ** UNSUPPPORTED WHEN ASSIGNED ** GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web re
ghsa_unreviewed·2023-07-25
CVE-2023-32637 [CRITICAL] CWE-434 GHSA-jffq-5gqv-qfcx: ** UNSUPPPORTED WHEN ASSIGNED ** GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web re
** UNSUPPPORTED WHEN ASSIGNED ** GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
OSV
CVE-2023-32637: GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests
osv·2023-07-25·CVSS 9.8
CVE-2023-32637 [CRITICAL] CVE-2023-32637: GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests
GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
Debian
CVE-2023-32637: gbrowse - GBrowse accepts files with any formats uploaded and places them in the area acce...
vendor_debian·2023·CVSS 9.8
CVE-2023-32637 [CRITICAL] CVE-2023-32637: gbrowse - GBrowse accepts files with any formats uploaded and places them in the area acce...
GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
Scope: local
bookworm: resolved (fixed in 2.56+dfsg-1)
bullseye: resolved (fixed in 2.56+dfsg-1)
trixie: resolved (fixed in 2.56+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-07-25
Published