4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-51699

CVE-2023-51699: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime

Impact

OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.

Patches

For users who're using version < 0.9.3 with JuicefsRuntime， upgrade to v0.9.3.

References

Are there any links users can visit to find out more?

Credits

Special thanks to the discovers of this issue:

Xiaozheng Zhang xiaozheng_zhang@outlook.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-51699

CVE-2023-51699:

4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/fluid-cloudnative/fluid	go	< 0.9.3	0.9.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from constructing OS commands using user-controlled inputs without proper sanitization. Key indicators: 1) The patch adds security.EscapeBashStr to parameters used in command construction 2) Removes dangerous 'bash -c' patterns 3) Fixes command construction in metrics collection (GetUsedSpace/GetFileCount) and mount command generation (genWorkerMount/genFuseMount). These functions handled untrusted inputs like mount paths, runtime names, and config values that were directly interpolated into shell commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-51699: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime

Impact

Patches

References

Credits

CVE-2023-51699:

4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2023-51699: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime

Impact

Patches

References

Credits

Technical Details

4

4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI