~~NOTOC~~
====== CVE-2020-27958: Arbitraty command execution in Open OnDemand =======

  * Vulnerability Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  * Vendor: Ohio Supercomputer Center
  * Affected Product: Open OnDeman 1.8.15 (other versions has not been tested)
  * Affected Component: Myjobs application template_controller copy_dir function
  * Attack Type: Remote
  * Impact: Code execution
  * Attack Vectors: http request submission


===== Description =====

Myjobs app in Ohio Supercomputer Center Open OnDemand web application allows
remote authenticated user to execute arbitrary OS command (shell injection).

Successfull exploitation requires:

  * Default (empty) or permissive WHITELIST_PATH configuration.
  * Ability for user to create a directory with name containing shell injection snippet. Directory must be accessible by OnDemand web portal for template creation (eg. shared NFS storage in grid environment).
  * User to create new job template in the Myjobs web application


Function copying source directory structure into newly created template
directory (myjobs templates_controller copy_dir) does not sanitize source
directory name.


===== References =====

  * https://discourse.osc.edu/t/security-fix-in-open-ondemand-1-8-18-and-1-7-19-patch-releases-now-available/1198


===== Timeline =====

  * 05.10.2020 - vulnerability found
  * 19.10.2020 - vendor contacted, pgp requested, vulnerability disclosed
  * 24.10.2020 - vendor fixed the vulnerability in the public git repository
  * 28.10.2020 - cve assigned
  * 05.11.2020 - vendor released fixed version
  * 30.11.2020 - vulnerability description published