CVE-2024-52010
published 2024-11-12CVE-2024-52010: Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker…
PriorityP355high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.44%
69.9th percentile
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tobychui_zoraxy | >= 0 < 3.1.3+incompatible | 3.1.3+incompatible |
| github.com | tobychui_zoraxy | >= 2.6.1 < 3.1.3 | 3.1.3 |
| tobychui | zoraxy | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy
osv·2024-11-19
CVE-2024-52010 Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy
Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy
Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: .
GHSA
Zoraxy has an authenticated command injection in the Web SSH feature
ghsa·2024-11-12
CVE-2024-52010 [HIGH] CWE-78 Zoraxy has an authenticated command injection in the Web SSH feature
Zoraxy has an authenticated command injection in the Web SSH feature
### Summary
A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.
### Details
Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers.
In [`HandleCreateProxySession`](https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/src/webssh.go#L19) the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, `CreateNewConnection` is called:
https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2
OSV
Zoraxy has an authenticated command injection in the Web SSH feature
osv·2024-11-12
CVE-2024-52010 [HIGH] Zoraxy has an authenticated command injection in the Web SSH feature
Zoraxy has an authenticated command injection in the Web SSH feature
### Summary
A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.
### Details
Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers.
In [`HandleCreateProxySession`](https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/src/webssh.go#L19) the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, `CreateNewConnection` is called:
https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-12
Published