cbcvebase.
CVE-2023-32637
published 2023-07-25

CVE-2023-32637: GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.98%
57.9th percentile
GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiangbrowse< gbrowse 2.56+dfsg-1 (bookworm)gbrowse 2.56+dfsg-1 (bookworm)
generic_model_organism_database_projectgbrowse
generic_model_organism_database_projectgbrowse>= 0 < 2.56+dfsg-12.56+dfsg-1
generic_model_organism_database_projectgbrowse>= 0 < 2.56+dfsg-12.56+dfsg-1
generic_model_organism_database_projectgbrowse>= 0 < 2.56+dfsg-12.56+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

  • GBrowse allows unauthenticated web requests to access uploaded files of any format; monitor web-accessible upload directories for script files (e.g., .pl, .cgi, .php) that could enable remote code execution
  • ·The vulnerability is fixed in GBrowse version 2.56+dfsg-1 on Debian bookworm, bullseye, and trixie; systems running older versions remain exploitable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.