{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-0290", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2023-01-13T15:10:30.966Z", "datePublished": "2023-01-18T21:10:42.929Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/Velocidex/velociraptor/releases", "defaultStatus": "unaffected", "modules": ["CreateCollection API"], "packageName": "Velociraptor", "platforms": ["Windows", "Linux", "MacOS", "64 bit", "32 bit"], "product": "Velociraptor", "programFiles": ["https://github.com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go"], "programRoutines": [{"name": "ScheduleArtifactCollection()"}], "repo": "https://github.com/Velocidex/velociraptor/", "vendor": "Rapid7", "versions": [{"changes": [{"at": "5", "status": "unaffected"}], "lessThan": "0.6.7-5", "status": "affected", "version": "0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"<br>"}], "value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\n"}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Paul Alkemade from Telstra"}], "datePublic": "2023-01-17T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.<br><br>Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.<br><p>To exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and&nbsp;be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.</p><p>This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.</p>"}], "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2023-01-18T21:10:42.929Z"}, "references": [{"url": "https://github.com/Velocidex/velociraptor"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to 0.6.7-5<br>"}], "value": "Upgrade to 0.6.7-5\n"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-01-13T05:23:00.000Z", "value": "Notification of the issue"}, {"lang": "en", "time": "2023-01-17T02:00:00.000Z", "value": "Release 0.6.7-5 made available on Github"}], "title": "Rapid7 Velociraptor directory traversal in client ID parameter ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FC8DDF3-9A52-47C0-A21A-F6E026C0D442", "versionEndExcluding": "0.6.7-5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"}, {"lang": "es", "value": "Rapid7 Velociraptor no sanitizaba adecuadamente el par\u00e1metro de ID del cliente en la API CreateCollection, lo que permit\u00eda un directory traversal donde se pod\u00eda escribir la tarea de recopilaci\u00f3n. Era posible proporcionar una identificaci\u00f3n de cliente de \"../clients/server\" para programar la recopilaci\u00f3n para el servidor (como un artefacto del servidor), pero solo se requer\u00edan privilegios para programar recopilaciones en el cliente. Normalmente, para programar un artefacto en el servidor, se requiere el permiso COLLECT_SERVER. Normalmente, este permiso s\u00f3lo se concede al rol de \"administrador\". Debido a este problema, basta con tener el privilegio COLLECT_CLIENT, que normalmente se otorga al rol de \"investigador\". Para aprovechar esta vulnerabilidad, el atacante ya debe tener una cuenta de usuario de Velociraptor al menos a nivel de \"investigador\" y poder autenticarse en la GUI y emitir una llamada API al backend. Normalmente, la mayor\u00eda de los usuarios implementan Velociraptor con acceso limitado a un grupo confiable y la mayor\u00eda de los usuarios ya ser\u00e1n administradores dentro de la GUI. Este problema afecta a las versiones de Velociraptor anteriores a la 0.6.7-5. La versi\u00f3n 0.6.7-5, lanzada el 16 de enero de 2023, soluciona el problema."}], "id": "CVE-2023-0290", "lastModified": "2023-11-07T04:00:06.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T22:15:10.647", "references": [{"source": "cve@rapid7.com", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/Velocidex/velociraptor"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "cve@rapid7.com", "type": "Secondary"}]}

{}