CVE-2023-40582

moderate-risk
Published 2023-08-30

find-exec is a utility to discover available shell commands. Versions prior to 1.0.3 did not properly escape user input and are vulnerable to Command Injection via an attacker controlled parameter. As a result, attackers may run malicious shell commands in the context of the running process. This issue has been addressed in version 1.0.3. users are advised to upgrade. Users unable to upgrade should ensure that all input passed to find-exec comes from a trusted source.

Do I need to act?

~
6.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 421238ab3f6b4a55745aea43abc62c8b1db6d66c
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Find-Exec

Affected Vendors

Find-Exec Project

References (4)

Patch https://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b5...
Vendor Advisory https://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622
Patch https://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b5...
Vendor Advisory https://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 9/34 · Low
Exposure 5/34 · Minimal