CVE-2020-27958: Arbitraty command execution in Open OnDemand

• Vulnerability Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• Vendor: Ohio Supercomputer Center
• Affected Product: Open OnDeman 1.8.15 (other versions has not been tested)
• Affected Component: Myjobs application template_controller copy_dir function
• Attack Type: Remote
• Impact: Code execution
• Attack Vectors: http request submission

Myjobs app in Ohio Supercomputer Center Open OnDemand web application allows remote authenticated user to execute arbitrary OS command (shell injection).

Successfull exploitation requires:

• Default (empty) or permissive WHITELIST_PATH configuration.
• Ability for user to create a directory with name containing shell injection snippet. Directory must be accessible by OnDemand web portal for template creation (eg. shared NFS storage in grid environment).
• User to create new job template in the Myjobs web application

Function copying source directory structure into newly created template directory (myjobs templates_controller copy_dir) does not sanitize source directory name.

• https://discourse.osc.edu/t/security-fix-in-open-ondemand-1-8-18-and-1-7-19-patch-releases-now-available/1198

• 05.10.2020 - vulnerability found
• 19.10.2020 - vendor contacted, pgp requested, vulnerability disclosed
• 24.10.2020 - vendor fixed the vulnerability in the public git repository
• 28.10.2020 - cve assigned
• 05.11.2020 - vendor released fixed version
• 30.11.2020 - vulnerability description published