fkie_cve-2023-0290
Vulnerability from fkie_nvd
Published
2023-01-18 22:15
Modified
2025-04-03 20:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client. Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role. To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI. This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
References
cve@rapid7.comhttps://github.com/Velocidex/velociraptorProduct, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Velocidex/velociraptorProduct, Third Party Advisory
Impacted products
Vendor Product Version
rapid7 velociraptor *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FC8DDF3-9A52-47C0-A21A-F6E026C0D442",
              "versionEndExcluding": "0.6.7-5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
    },
    {
      "lang": "es",
      "value": "Rapid7 Velociraptor no sanitizaba adecuadamente el par\u00e1metro de ID del cliente en la API CreateCollection, lo que permit\u00eda un directory traversal donde se pod\u00eda escribir la tarea de recopilaci\u00f3n. Era posible proporcionar una identificaci\u00f3n de cliente de \"../clients/server\" para programar la recopilaci\u00f3n para el servidor (como un artefacto del servidor), pero solo se requer\u00edan privilegios para programar recopilaciones en el cliente. Normalmente, para programar un artefacto en el servidor, se requiere el permiso COLLECT_SERVER. Normalmente, este permiso s\u00f3lo se concede al rol de \"administrador\". Debido a este problema, basta con tener el privilegio COLLECT_CLIENT, que normalmente se otorga al rol de \"investigador\". Para aprovechar esta vulnerabilidad, el atacante ya debe tener una cuenta de usuario de Velociraptor al menos a nivel de \"investigador\" y poder autenticarse en la GUI y emitir una llamada API al backend. Normalmente, la mayor\u00eda de los usuarios implementan Velociraptor con acceso limitado a un grupo confiable y la mayor\u00eda de los usuarios ya ser\u00e1n administradores dentro de la GUI. Este problema afecta a las versiones de Velociraptor anteriores a la 0.6.7-5. La versi\u00f3n 0.6.7-5, lanzada el 16 de enero de 2023, soluciona el problema."
    }
  ],
  "id": "CVE-2023-0290",
  "lastModified": "2025-04-03T20:15:20.340",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-01-18T22:15:10.647",
  "references": [
    {
      "source": "cve@rapid7.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Velocidex/velociraptor"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Velocidex/velociraptor"
    }
  ],
  "sourceIdentifier": "cve@rapid7.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "cve@rapid7.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.