CVE-2023-49102

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-49102
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49102.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-49102
Published
2023-11-22T22:15:08Z
Modified
2024-09-03T04:35:48.456580Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

NZBGet 21.1 allows authenticated remote code execution because the unarchive programs (7za and unrar) preserve executable file permissions. An attacker with the Control capability can execute a file by setting the value of SevenZipCommand or UnrarCmd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

Affected packages

Git / github.com/nzbget/nzbget

Affected ranges

Type
GIT
Repo
https://github.com/nzbget/nzbget
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v16.*

v16.0
v16.0-r1353
v16.0-r1420
v16.0-r1439
v16.1
v16.2
v16.3
v16.4

v17.*

v17.0
v17.0-r1660
v17.0-r1686
v17.0-r1716
v17.0-r1726
v17.0-r1735
v17.1
v17.1-r1756

v18.*

v18.0
v18.0-r1820
v18.0-r1841
v18.0-r1858
v18.0-r1865
v18.1

v19.*

v19.0
v19.0-r1903
v19.0-r1914
v19.0-r1929
v19.0-r1991
v19.0-r1999
v19.0-r2008
v19.0-r2021
v19.1
v19.1-r2031

v20.*

v20.0
v20.0-r2075
v20.0-r2108
v20.0-r2147
v20.0-r2159
v20.0-r2171
v20.0-r2176
v20.0-r2181
v20.0-r2190

v21.*

v21.0
v21.0-r2220
v21.0-r2296
v21.0-r2302
v21.0-r2304
v21.1
v21.1-r2311
v21.1-r2322
v21.1-r2329