GLSA-202312-11 : SABnzbd: Remote Code Execution

critical Nessus Plugin ID 187279

Description

The remote host is affected by the vulnerability described in GLSA-202312-11 (SABnzbd: Remote Code Execution)

- SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release.
Users are advised to upgrade. Users unable to upgrade should ensure that a username and password have been set if their instance is web accessible. (CVE-2023-34237)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

All SABnzbd users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=net-nntp/sabnzbd-4.0.2

See Also

https://security.gentoo.org/glsa/202312-11

https://bugs.gentoo.org/show_bug.cgi?id=908032

Plugin Details

Severity: Critical

ID: 187279

File Name: gentoo_GLSA-202312-11.nasl

Version: 1.0

Type: local

Published: 12/23/2023

Updated: 12/23/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-34237

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:sabnzbd, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/23/2023

Vulnerability Publication Date: 6/7/2023

Reference Information

CVE: CVE-2023-34237