HummerRisk Command Injection Vulnerability in Cloud Task Dry-Run Functionality

A command injection vulnerability has been identified in HummerRisk versions through 1.5.0. This issue resides in the Cloud Task dry-run feature, specifically within the 'CloudTaskService.java' file. The vulnerability allows remote attackers to inject arbitrary operating system commands by manipulating the 'fileName' parameter, which is used in command execution without proper validation. The injected commands are executed immediately, leading to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for immediate remote code execution on the server with the privileges of the 'hummer-risk' user. This could potentially lead to escalated privileges if sudo access is configured, as well as access to all files readable by the hummer-risk user. Additionally, the vulnerability could be exploited to access and exfiltrate cloud provider credentials stored in the application's database.

Reproduction

To reproduce this vulnerability, send a POST request to the '/task/manual/dryRun' endpoint with a crafted 'fileName' parameter that includes malicious commands. The 'fileName' value will be extracted and used to construct a command that is executed immediately, without any validation or sanitization.

Remediation

Users are advised to update to HummerRisk version 1.5.1 or later, where this vulnerability has been addressed.