Parseusbs OS Command Injection Vulnerability
Vulnerability
A command injection vulnerability has been identified in Parseusbs versions prior to 1.9. The issue arises because the volume listing path argument, specified with the -v flag, is passed without proper sanitization into a shell command using os.popen(). This flaw allows arbitrary command injection by crafting volume path arguments that include shell metacharacters. An attacker can exploit this vulnerability by injecting commands during the enumeration of volume contents.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the host system where Parseusbs is run.
Reproduction
To reproduce this vulnerability, use Parseusbs version prior to 1.9 and provide a crafted volume path argument via the -v flag. The injected commands can be executed during the volume content enumeration process.
Remediation
Users are advised to update to Parseusbs version 1.9 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.