nextlevelbuilder GoClaw
- <= 3.13.2
A vulnerability exists in GoClaw versions up to 3.13.2, specifically within the WebSocket approval endpoint. The issue arises in the 'RequestApproval' function of 'internal/tools/exec_approval.go', where the approval cache incorrectly handles 'allow-always' decisions. This flaw allows an operator to approve one BusyBox-wrapped command, which can then be exploited to execute different commands without additional approval, bypassing GoClaw's intended authorization process for executing host commands.
This vulnerability allows for a bypass of the execution approval process, enabling unauthorized commands to be executed on the host system with the same privileges as the GoClaw process. This could lead to unauthorized access to files, extraction of sensitive information such as credentials or tokens, and potentially compromise the system, depending on how GoClaw is deployed.
The vulnerability can be reproduced by approving a BusyBox command with 'allow-always' and then executing a different BusyBox command wrapped in the same 'sh -c' context. This can be done using the GoClaw HTTP tool invocation endpoint, which accepts commands as arguments and forwards them to be executed after the approval is evaluated.
Users can update to GoClaw version 3.13.3 or later, where this vulnerability has been addressed.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.