nextlevelbuilder GoClaw
- <= 3.13.3-beta.3
A vulnerability exists in Nextlevelbuilder GoClaw versions up to 3.13.3-beta.3, specifically within the exec approval management. The issue arises because the 'matchesAllowlist' function trusts basename-only entries, allowing operators to manipulate and execute commands that bypass the intended approval process. This vulnerability can be exploited remotely by authenticated operators via the 'POST /v1/tools/invoke' HTTP endpoint.
Exploitation of this vulnerability allows for an authorization and execution-control bypass, enabling the execution of arbitrary workspace binaries on the host system with the same privileges as the GoClaw process. This could lead to unauthorized access to local files, network resources, and sensitive information or automation capabilities available to the service account.
To reproduce this vulnerability, an operator must upload a malicious binary named 'echo' into a writable workspace directory. Once the binary is in place, the operator can invoke it using the 'exec' tool through the 'POST /v1/tools/invoke' endpoint, with the command set to './echo'. The approval process will mistakenly trust the command based on its basename, while the execution will run the uploaded binary from the workspace, effectively bypassing the approval mechanism.
The vulnerability has been patched in version 3.13.3-beta.4. Users should update to this version.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.