CVE-2023-39013: 
Java vulnerability analysis and mitigation

Duke v1.2 and below contains a code injection vulnerability in the component no.priv.garshol.duke.server.CommonJTimer.init. The vulnerability was discovered and reported on July 18, 2023, affecting all versions up to and including version 1.2 (Duke Issue). The vulnerability has been assigned CVE-2023-39013 and received a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

The vulnerability exists in the CommonJTimer.init(Properties) method, which is designed to initialize a timer. The issue stems from the method accepting unchecked arguments that can lead to arbitrary code execution. When processing the 'duke.timer-jndipath' property, the component fails to properly validate input, allowing attackers to specify malicious LDAP URLs. The vulnerability has been classified as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability allows for remote code execution through the injection of malicious code. An attacker can execute arbitrary code by providing specially crafted properties to the CommonJTimer.init method, potentially leading to complete system compromise (Duke Issue).

The recommended mitigation is to filter LDAP, RMI, and related protocols when using lookup functionality. As of the vulnerability disclosure, no official patch has been released (Duke Issue).