CVE-2013-2095

Overview

CVE-2013-2095 is a command injection vulnerability in the rubygem-openshift-origin-controller component of Red Hat OpenShift Origin. The issue resides in cartridge_cache.rb, where the URI.parse() method is used to validate cartridge URLs before downloading them with curl inside backticks. Because URI.parse() permits characters such as ; and $, an attacker can append arbitrary shell commands to a valid URL, leading to injection [4].

Exploitation

An authenticated user can exploit this by sending a POST request to the broker API to create an application, supplying a crafted cartridge URL. For example, appending ;reboot to a valid HTTP URL causes the injected command to execute on the broker server. The error message returned may not reflect the command's execution, but the injected command runs as the broker process [4].

Impact

Successful exploitation allows a remote authenticated attacker to execute arbitrary operating system commands with the privileges of the broker process. This can lead to unauthorized access, data exfiltration, privilege escalation, or denial of service (e.g., by running reboot or rm -rf *). The vulnerability was publicly announced in 2013 and is rated as important [1][2].

Mitigation

This vulnerability was addressed in a security update for Red Hat OpenShift Origin. Users of affected versions (OpenShift 2.x) should apply the appropriate patch or upgrade to a supported release. No known workarounds were provided, and the product line OpenShift Origin is now deprecated [3].