advisories:cve-2020-27958

CVE-2020-27958: Arbitraty command execution in Open OnDemand

  • Vulnerability Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Vendor: Ohio Supercomputer Center
  • Affected Product: Open OnDeman 1.8.15 (other versions has not been tested)
  • Affected Component: Myjobs application template_controller copy_dir function
  • Attack Type: Remote
  • Impact: Code execution
  • Attack Vectors: http request submission

Description

Myjobs app in Ohio Supercomputer Center Open OnDemand web application allows remote authenticated user to execute arbitrary OS command (shell injection).

Successfull exploitation requires:

  • Default (empty) or permissive WHITELIST_PATH configuration.
  • Ability for user to create a directory with name containing shell injection snippet. Directory must be accessible by OnDemand web portal for template creation (eg. shared NFS storage in grid environment).
  • User to create new job template in the Myjobs web application

Function copying source directory structure into newly created template directory (myjobs templates_controller copy_dir) does not sanitize source directory name.

References

Timeline

  • 05.10.2020 - vulnerability found
  • 19.10.2020 - vendor contacted, pgp requested, vulnerability disclosed
  • 24.10.2020 - vendor fixed the vulnerability in the public git repository
  • 28.10.2020 - cve assigned
  • 05.11.2020 - vendor released fixed version
  • 30.11.2020 - vulnerability description published
Poslední úprava:: 05.11.2020 21:44