CVE-2020-7633

Vulnerability

Details

CVE-2020-7633 is a command injection vulnerability in the apiconnect-cli-plugins package, an IBM API Connect Developer Toolkit plugin, affecting versions through 6.0.1 [1]. The root cause is the absence of user-input sanitization for the pluginUri argument in the installPlugin(pluginUri, registryUri) function located in lib/plugin-loader.js at line 181 [2]. This enables an attacker to inject arbitrary operating system commands by crafting a malicious pluginUri value [2].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted pluginUri to the pluginLoader.installPlugin() function [2]. No authentication is required if the attacker can control this input, e.g., via a malicious package that calls the vulnerable function. The provided proof-of-concept (PoC) demonstrates injection using backticks or shell metacharacters: root.pluginLoader.installPlugin(payload, "") where the payload includes a command like touch Song [2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the user running the vulnerable application [1][2]. This could lead to full system compromise, data exfiltration, or other malicious actions depending on the environment [1]. The CVSS v3.1 base score is 9.8 (Critical) [2].

Mitigation

As of the advisory publication, there is no fixed version available for apiconnect-cli-plugins [2]. Users are advised to either discontinue use or apply strict input validation to the pluginUri parameter if the package must be used [2].