Vulnerability Description
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Web2Py | Web2Py | <= 2.24.1 |
Related Weaknesses (CWE)
References
- http://web2py.com/Product
- http://web2py.com/init/default/downloadProduct
- https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3Patch
- https://jvn.jp/en/jp/JVN80476432/Third Party Advisory
- http://web2py.com/Product
- http://web2py.com/init/default/downloadProduct
- https://github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3Patch
- https://jvn.jp/en/jp/JVN80476432/Third Party Advisory
FAQ
What is CVE-2023-45158?
CVE-2023-45158 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request ma...
How severe is CVE-2023-45158?
CVE-2023-45158 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-45158?
Check the references section above for vendor advisories and patch information. Affected products include: Web2Py Web2Py.