CVE-2019-13623

moderate-risk
Published 2019-07-17

In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis result is archived for sharing with other persons. To achieve arbitrary code execution, one approach is to overwrite some critical Ghidra modules, e.g., the decompile module.

Do I need to act?

~
4.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
47231
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Nsa

References (8)

Exploit http://blog.fxiao.me/ghidra/
http://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Ex...
https://ghidra-sre.org/releaseNotes_9.1_final.html
Exploit https://github.com/NationalSecurityAgency/ghidra/issues/789
Exploit http://blog.fxiao.me/ghidra/
http://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Ex...
https://ghidra-sre.org/releaseNotes_9.1_final.html
Exploit https://github.com/NationalSecurityAgency/ghidra/issues/789
43
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal