Emissary OS Command Injection Vulnerability in Executrix Component

A command injection vulnerability has been identified in the Emissary workflow engine, specifically in versions 8.42.0 and prior. The issue arises in the Executrix.getCommand() method, which constructs shell commands by directly inserting temporary file paths into a '/bin/sh -c' command string without proper escaping or input validation. This flaw allows a place author to inject arbitrary shell metacharacters that execute commands in the context of the JVM process. The vulnerability is exploited by manipulating the IN_FILE_ENDING and OUT_FILE_ENDING configuration keys, which are not sanitized before being used in command execution. The vulnerability requires no special privileges, API, or network access to exploit.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution via injected metacharacters in file ending values, with the executed commands running in the security context of the JVM process.

Reproduction

The vulnerability can be reproduced by creating a place configuration file that includes injected commands in the IN_FILE_ENDING or OUT_FILE_ENDING values. Once the configuration is loaded by the Emissary server, the injected commands are executed during the processing of any payload by the affected place.

Remediation

The vulnerability has been fixed in Emissary version 8.43.0. Users should update to this version to address the command injection issue.