CVE-2023-26156
Command Injection vulnerability in chromedriver (npm)
What is CVE-2023-26156 About?
This vulnerability is a Command Injection flaw in chromedriver versions before 119.0.1, occurring when `chromedriver.path` is set to an arbitrary system binary. Exploiting this can lead to unauthorized access and malicious actions on the host system. It requires local access and specific permissions on the running process.
Affected Software
Technical Details
The vulnerability exists in chromedriver versions prior to 119.0.1. When the chromedriver.path configuration is set by an attacker to an arbitrary system binary instead of the legitimate chromedriver executable, the application will execute this attacker-controlled binary. This constitutes a command injection vulnerability, as the attacker can coerce the system to run arbitrary commands with the privileges of the chromedriver process. Successful exploitation can lead to unauthorized access, installation of malicious software, or full system compromise, depending on the permissions of the chromedriver process.
What is the Impact of CVE-2023-26156?
Successful exploitation may allow attackers to execute arbitrary commands on the host system, leading to unauthorized access, data manipulation, or complete system compromise.
What is the Exploitability of CVE-2023-26156?
Exploitation requires an attacker to have prior access to the system running the vulnerable chromedriver library, as they need to modify the chromedriver.path setting. The complexity is moderate, as it involves configuring a malicious binary and altering the chromedriver path. No specific authentication is required after local access is achieved, but the attack depends heavily on the permissions and privileges of the process running chromedriver. This is a local exploitation scenario. Risk factors include weak access controls on configuration files or environmental variables, and running chromedriver with excessive privileges.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26156?
Available Upgrade Options
- chromedriver
- <119.0.1 → Upgrade to 119.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815
- https://github.com/giggio/node-chromedriver
- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539
- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18
- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815
- https://nvd.nist.gov/vuln/detail/CVE-2023-26156
- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539
- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18
- https://osv.dev/vulnerability/GHSA-hm92-vgmw-qfmx
What are Similar Vulnerabilities to CVE-2023-26156?
Similar Vulnerabilities: CVE-2021-25927 , CVE-2022-23522 , CVE-2022-25922 , CVE-2022-23517 , CVE-2022-4171
