Aperi'Solve Unauthenticated Root-Level Remote Code Execution Vulnerability via Password Field in JPSeek Analyzer

A remote code execution vulnerability has been identified in Aperi'Solve versions prior to 3.2.1. This issue arises in the JPSeek analyzer, where an uploaded JPEG can be accompanied by a password. The password is directly injected into an expect command, which is then executed in a bash shell, without any sanitization or validation. This vulnerability allows an unauthenticated attacker to gain root access within the worker container, with a single HTTP request. Exploitation provides full read and write access to all user-uploaded images, analysis results, and plaintext steganography passwords stored on disk. Additionally, the container's shared Docker network with PostgreSQL and Redis (both without authentication) enables the attacker to dump the entire database or manipulate the job queue, potentially poisoning results for other users. If Docker socket mounting or host volume mounts are present, this could escalate to a full compromise of the host, including defacing the website.

Impact

Exploitation of this vulnerability allows for unauthenticated root-level remote code execution in the worker container, with potential escalation to a full host compromise if certain Docker configurations are present.

Reproduction

To reproduce this vulnerability, upload a JPEG image through the Aperi'Solve web platform, including a password that begins with a command injection payload, such as a semicolon followed by a bash command. Once the image is uploaded, the injected command will be executed in the context of the server.

Remediation

Users can update to Aperi'Solve version 3.2.1 or later, where this vulnerability has been fixed.