OneUptime OS Command Injection Vulnerability in NetworkPathMonitor Traceroute Function
Vulnerability
A command injection vulnerability has been identified in OneUptime versions prior to 10.0.7. The issue resides in the NetworkPathMonitor's performTraceroute() method, where user-supplied destination data is improperly sanitized. This flaw enables authenticated project users to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into the destination field. The vulnerability arises because the destination parameter is directly interpolated into a command string without validation, allowing execution of commands through the shell.
Impact
Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the Probe server, potentially leading to unauthorized access to sensitive files, execution of malicious payloads, and disruption of services. In a multi-tenant SaaS environment, this could also compromise other tenants' monitoring data.
Reproduction
The vulnerability can be reproduced by creating or editing a network path monitor and injecting shell metacharacters into the destination field. Once the monitor is executed, the injected commands will be executed on the Probe server.
Remediation
Users are advised to update to OneUptime version 10.0.7 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.