CVE-2023-45158
published 2023-10-16CVE-2023-45158: An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.69%
88.3th percentile
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| web2py | web2py | <= 2.24.1 | — |
| web2py | web2py | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vx79-v9rq-vjp5: An OS command injection vulnerability exists in web2py 2
ghsa_unreviewed·2023-10-16
CVE-2023-45158 [CRITICAL] CWE-78 GHSA-vx79-v9rq-vjp5: An OS command injection vulnerability exists in web2py 2
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
OSV
CVE-2023-45158: An OS command injection vulnerability exists in web2py 2
osv·2023-10-16·CVSS 9.8
CVE-2023-45158 [CRITICAL] CVE-2023-45158: An OS command injection vulnerability exists in web2py 2
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://web2py.com/http://web2py.com/init/default/downloadhttps://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3https://jvn.jp/en/jp/JVN80476432/http://web2py.com/http://web2py.com/init/default/downloadhttps://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3https://jvn.jp/en/jp/JVN80476432/
2023-10-16
Published