CVE-2023-28627 HIGH

CVE-2023-28627: OS Command Injection via GIT_PATH in pymedusa

Vendor Pymedusa

Product Medusa

Weakness CWE-78

Published March 27, 2023

Last update February 19, 2025

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

pymedusa is an automatic video library manager for TV Shows. In versions prior 1.0.12 an attacker with access to the web interface can update the git executable path in /config/general/ > advanced settings with arbitrary OS commands. An attacker may exploit this vulnerability to take execute arbitrary OS commands as the user running the pymedusa program. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

March 27, 2023 CVE published

February 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-28627

Related vulnerabilities

CVE-2023-28627: OS Command Injection via GIT_PATH in pymedusa

01Description

02Disclosure timeline

03References

04Related CVE