Vulnerability Details : CVE-2023-28627
Potential exploit
pymedusa is an automatic video library manager for TV Shows. In versions prior 1.0.12 an attacker with access to the web interface can update the git executable path in /config/general/ > advanced settings with arbitrary OS commands. An attacker may exploit this vulnerability to take execute arbitrary OS commands as the user running the pymedusa program. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Products affected by CVE-2023-28627
- cpe:2.3:a:pymedusa:medusa:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28627
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28627
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
3.9
|
3.7
|
GitHub, Inc. |
CWE ids for CVE-2023-28627
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-28627
-
https://github.com/pymedusa/Medusa/commit/66d4be8f0872bd5ddcdc5c5a58cb014d22834a45
Ensure that git_path is a valid file (#11138) · pymedusa/Medusa@66d4be8 · GitHubPatch
-
https://github.com/pymedusa/Medusa/security/advisories/GHSA-6589-x6f5-cgg9
OS Command Injection via GIT_PATH · Advisory · pymedusa/Medusa · GitHubExploit;Vendor Advisory
Jump to