CVE-2024-52010 HIGH

CVE-2024-52010: Zoraxy has an authenticated command injection in the Web SSH feature

Vendor Tobychui

Product zoraxy

Weakness CWE-78

Published November 12, 2024

Last update November 21, 2024

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.

Key dates

02Disclosure timeline

November 12, 2024 CVE published

November 21, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52010 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2024-52010: Zoraxy has an authenticated command injection in the Web SSH feature

01Description

02Disclosure timeline

03References

04Related CVE