CVE-2023-45158: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

October 16, 2023 (updated October 18, 2023)

An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

References

web2py.com/
web2py.com/init/default/download
github.com/web2py/web2py/commit/936e2260b0c34c44e2f3674a893e96d2a7fad0a3
jvn.jp/en/jp/JVN80476432/
nvd.nist.gov/vuln/detail/CVE-2023-45158

Detect and mitigate CVE-2023-45158 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →