CVE-2023-39013
Description
Code injection in Duke deduplication engine v1.2 and below via untrusted JNDI lookup in CommonJTimer.init allows remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Code injection in Duke deduplication engine v1.2 and below via untrusted JNDI lookup in CommonJTimer.init allows remote code execution.
Vulnerability
Description CVE-2023-39013 is a code injection vulnerability in the Duke deduplication engine (version 1.2 and below). The flaw resides in the no.priv.garshol.duke.server.CommonJTimer.init(Properties) method, which was designed to initialize a timer but fails to sanitize user-supplied properties before performing a JNDI lookup [1][2]. By setting the property duke.timer-jndipath to a malicious LDAP or RMI endpoint, an attacker can trigger arbitrary code execution on the server when the timer is initialized with those unchecked properties [3].
Exploitation
Exploitation requires the attacker to be able to pass arbitrary properties to CommonJTimer.init(). In practice, this could occur if an application using Duke accepts user-controlled configuration or if Duke's own configuration files are writable. No authentication is needed if the vulnerable API is exposed; an attacker only needs to craft a malicious LDAP server and supply a crafted JNDI path, such as ldap://evil.com:12345. The Duke process will then query that LDAP server, loading and executing attacker-controlled bytecode [3]. This is a classic Java deserialization/injection pattern targeting the JNDI lookup mechanism.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary Java code in the context of the Duke application. This can lead to full compromise of the affected system, including data exfiltration, installation of backdoors, or lateral movement within the network. Since Duke is often used as a deduplication service within data pipelines, the impact can extend to adjacent systems and sensitive datasets.
Mitigation
As of the published advisory, the latest release is version 1.2, which remains vulnerable [2]. The official fix suggestion is to filter LDAP, RMI, and other potentially dangerous protocols when performing JNDI lookups [3]. Users should either apply a local patch to sanitize the JNDI path, restrict the use of CommonJTimer in their application, or switch to a supported deduplication library unless an official update is released.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
no.priv.garshol.duke:dukeMaven | <= 1.2 | — |
Affected products
2- Duke/Dukedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-p83q-99rc-vfmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39013ghsaADVISORY
- github.com/larsga/Duke/issues/273ghsaWEB
News mentions
0No linked articles in our index yet.