CVE-2024-52010: 
vulnerability analysis and mitigation

CVE-2024-52010 affects Zoraxy, a general purpose HTTP reverse proxy and forwarding tool, versions 2.6.1 through 3.1.2. The vulnerability was discovered and disclosed on November 12, 2024, and involves a command injection vulnerability in the Web SSH feature that allows authenticated attackers to execute arbitrary commands as root on the host system (GitHub Advisory).

The vulnerability exists in the Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In the HandleCreateProxySession function, the username parameter is not properly validated or sanitized before being used in command construction. An attacker can exploit this by injecting commands through the username variable to escape from the bash command and execute arbitrary commands. The vulnerability was introduced in commit c07d5f8 and has been assigned a CVSS v4.0 base score of 8.6 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows authenticated attackers to gain remote code execution with root privileges on the host system. If Zoraxy is run without authentication (started with -noauth), the vulnerability can be exploited without authentication. Additionally, in Docker deployments where the Docker socket is mounted, attackers can potentially escape the Zoraxy container and gain access to the Docker host (GitHub Advisory).

The vulnerability has been patched in Zoraxy version 3.1.3. Users are advised to upgrade to this version. For users unable to upgrade immediately, it is recommended to ensure authentication is enabled and to avoid using the Web SSH feature until the update can be applied (GitHub Advisory).