Bug #14974
closed
Arbitrary command execution in rudder relay API due to missing parameter sanitization
Added by Alexis Mousset over 5 years ago.
Updated over 1 year ago.
Description
There is no validation of the "classes" parameters which allows passing arbitrary arguments to the executed command, allowing access to a local root account through CFEngine (-f parameter and local policy in /tmp for example).
It requires:
- having a local access to the root server to get root access locally, or
- using the root IP to get root access to relays
- Status changed from New to In progress
- Assignee set to Alexis Mousset
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-packages/pull/1944
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Status changed from Pending technical review to Pending release
- Subject changed from Remove code execution in rudder relay API to Remote code execution in rudder relay API due to missing parameter sanitization
- Subject changed from Remote code execution in rudder relay API due to missing parameter sanitization to Code execution in rudder relay API due to missing parameter sanitization
- Subject changed from Code execution in rudder relay API due to missing parameter sanitization to Arbitrary command execution in rudder relay API due to missing parameter sanitization
- Fix check changed from To do to Error - Fixed
- Fix check changed from Error - Fixed to To do
- Name check changed from To do to Reviewed
- Fix check changed from To do to Checked
This bug has been fixed in Rudder 4.1.24 and 5.0.12 which were released today.
- Status changed from Pending release to Released
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by