CVE-2023-2121
Arbitrary Code Execution vulnerability in vault (Go)
What is CVE-2023-2121 About?
This vulnerability in the `static-eval` package allows for arbitrary code execution through the misuse of FunctionExpressions and TemplateLiterals. While withdrawn as not a vulnerability, its described mechanism allows an attacker to execute arbitrary code within the application's context. Exploitation would be straightforward for an attacker who can control the input to the `evaluate` function.
Affected Software
- github.com/hashicorp/vault
- >1.12.0, <1.12.7
- >1.13.0, <1.13.3
- <1.11.11
Technical Details
The static-eval package is designed to evaluate abstract syntax trees (ASTs) in a sandboxed environment. However, the described vulnerability arises when the evaluate function processes AST nodes corresponding to FunctionExpressions and TemplateLiterals without proper沙盒. An attacker can craft an input source string containing constructs like (function (x) { return ${eval("...")} })(), where the eval() call contains arbitrary JavaScript code. When this crafted AST is passed to evaluate, the contained eval() within the function or template literal context is executed, bypassing the intended static evaluation and leading to arbitrary code execution on the host system, as demonstrated by the PoC executing system commands.
What is the Impact of CVE-2023-2121?
Successful exploitation may allow attackers to execute arbitrary code, compromising the integrity, confidentiality, and availability of the affected system, leading to full system control or data exfiltration.
What is the Exploitability of CVE-2023-2121?
Exploitation of this vulnerability is relatively simple, requiring direct control over the input to the static-eval package's evaluate function. There are no authentication or privilege requirements beyond the ability to supply the malicious input to the affected code. This is a local exploitation scenario where the attacker must interact with the application to inject the malicious AST. The main prerequisite is an application that uses static-eval and allows untrusted input to be processed by it. The likelihood of exploitation is high if such a condition exists, as the PoC demonstrates a clear path to code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-2121?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.11.11 → Upgrade to 1.11.11
- github.com/hashicorp/vault
- >1.12.0, <1.12.7 → Upgrade to 1.12.7
- github.com/hashicorp/vault
- >1.13.0, <1.13.3 → Upgrade to 1.13.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814
- https://github.com/advisories/GHSA-gq98-53rq-qr5h
- https://nvd.nist.gov/vuln/detail/CVE-2023-2121
- https://osv.dev/vulnerability/GO-2023-1849
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814
- https://osv.dev/vulnerability/GHSA-gq98-53rq-qr5h
What are Similar Vulnerabilities to CVE-2023-2121?
Similar Vulnerabilities: CVE-2021-39148 , CVE-2020-7798 , CVE-2019-10756 , CVE-2018-3721 , CVE-2017-16042
