CVE-2023-33965 CRITICAL

CVE-2023-33965: Brook's tproxy server is vulnerable to a drive-by command injection.

Vendor Txthinking

Product brook

Weakness CWE-78

Published June 1, 2023

Last update January 9, 2025

View on NVD All CVEs

CVSS base score

9.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Brook is a cross-platform programmable network tool. The `tproxy` server is vulnerable to a drive-by command injection. An attacker may fool a victim into visiting a malicious web page which will trigger requests to the local `tproxy` service leading to remote code execution. A patch is available in version 20230606.

Key dates

02Disclosure timeline

June 1, 2023 CVE published

January 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-33965

Related vulnerabilities

04Related CVE

CVE-2026-35582 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix CVE-2026-5208 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold CVE-2025-34035 EnGenius EnShare IoT Gigabit Cloud Service Command Injection CVE-2021-23198 mySCADA myPRO CVE-2023-6319 Command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service