3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30844

GHSA ID

GHSA-jmp2-wc4p-wfh2

EPSS Score

0.56753%

CWE

CWE-116

Published

5/5/2023

Updated

11/5/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30844

CVE-2023-30844: Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints

Impact

Mutagen command line operations, as well as the log output from mutagen daemon run, are susceptible to control characters that could be provided by remote endpoints. This can cause terminal corruption, either intentional or unintentional, if these characters are present in error messages, file paths/names, and/or log output. This could be used as an attack vector if synchronizing with an untrusted remote endpoint, synchronizing files not under control of the user, or forwarding to/from an untrusted remote endpoint. On very old systems with terminals susceptible to issues such as CVE-2003-0069, the issue could theoretically cause code execution.

Patches

The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.

One caveat is that the templating functionality of Mutagen's list and monitor commands has been only partially patched. In particular, the json template function already provided escaping and no patching was necessary. However, raw template output has been left unescaped because this raw output may be necessary for commands which embed Mutagen. To aid these commands, a new shellSanitize template function has been added which provides control character neutralization in strings.

Workarounds

Avoiding synchronization of untrusted files or interaction with untrusted remote endpoints should mitigate any risk.

References

A similar issue can be seen in kubernetes/kubernetes#101695.

(GitHub Advisory)

3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30844

GHSA ID

GHSA-jmp2-wc4p-wfh2

EPSS Score

0.56753%

CWE

CWE-116

Published

5/5/2023

Updated

11/5/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mutagen-io/mutagen	go	< 0.16.6	0.16.6
github.com/mutagen-io/mutagen-compose	go	< 0.17.1	0.17.1
github.com/mutagen-io/mutagen	go	>= 0.17.0, < 0.17.1	0.17.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly affects the templating functionality of 'list' and 'monitor' commands. While the JSON template function was already safe, the advisory states that raw template output remained unescaped. The addition of a new 'shellSanitize' template function in patches indicates that the default raw output path lacked proper sanitization. Though exact function names aren't provided in available data, the core issue resides in the template rendering logic for these commands when handling untrusted input from remote endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Mut***n *omm*n* lin* op*r*tions, *s w*ll *s t** lo* output *rom `mut***n ***mon run`, *r* sus**pti*l* to *ontrol ***r**t*rs t**t *oul* ** provi*** *y r*mot* *n*points. T*is **n **us* t*rmin*l *orruption, *it**r int*ntion*l or unint*ntion

Reasoning

T** vuln*r**ility *xpli*itly *****ts t** t*mpl*tin* *un*tion*lity o* 'list' *n* 'monitor' *omm*n*s. W*il* t** JSON t*mpl*t* `*un*tion` w*s *lr***y s***, t** **visory st*t*s t**t r*w t*mpl*t* output r*m*in** un*s**p**. T** ***ition o* * n*w 's**llS*ni

3

Basic Information

Concerned about an active attack path?

CVE-2023-30844: Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints

Impact

Patches

Workarounds

References

3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI