Miggo Logo

CVE-2017-1000009:
Akeneo PIM vulnerable to shell injection in the mass edition

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.93117%
Published
5/13/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
akeneo/pim-community-devcomposer>= 1.4, < 1.4.281.4.28
akeneo/pim-community-devcomposer>= 1.5, < 1.5.151.5.15
akeneo/pim-community-devcomposer>= 1.6, < 1.6.61.6.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of user input used in OS commands during mass edit operations. Akeneo's batch job architecture uses SimpleJobLauncher to execute shell commands for background processing. The MassEditController receives user inputs that are directly incorporated into these commands. Without proper sanitization (e.g., escaping shell arguments or using parameterized commands), attackers could inject malicious payloads. This matches the CWE-78 pattern and Akeneo's changelog references to mass edit fixes in patched versions. The confidence is high due to the architectural pattern match and vulnerability description specificity, though exact pre-patch code isn't available.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*k*n*o PIM ** *n* ** <*.*.*, <*.*.**, <*.*.** *r* vuln*r**l* to s**ll inj**tion in t** m*ss **ition, r*sultin* in r*mot* *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* us*r input us** in OS *omm*n*s *urin* m*ss **it op*r*tions. *k*n*o's **t** jo* *r**it**tur* us*s Simpl*Jo*L*un***r to *x**ut* s**ll *omm*n*s *or ***k*roun* pro**ssin*. T** M*ss**it*ontroll*r r**