x/vulndb: potential Go vuln in github.com/chaosblade-io/chaosblade: GHSA-723h-x37g-f8qm

[GoVulnBot]

Advisory GHSA-723h-x37g-f8qm references a vulnerability in the following Go modules:

Module
github.com/chaosblade-io/chaosblade

Description:
exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication.

References:

• ADVISORY: GHSA-723h-x37g-f8qm
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2023-47105
• FIX: chaosblade-io/chaosblade@6bc73c3
• WEB: https://github.com/chaosblade-io/chaosblade/blob/0a07380c9899febb2b544132783b376b44226cca/exec/os/executor.go#L68
• WEB: https://narrow-oatmeal-0c0.notion.site/ChaosBlade-Remote-Command-Execution-CVE-2023-47105-4f5459046488436caaec2bced6ff26d7

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/chaosblade-io/chaosblade
      versions:
        - introduced: 0.0.3
        - fixed: 1.7.4
      vulnerable_at: 1.7.3
summary: Chaosblade vulnerable to OS command execution in github.com/chaosblade-io/chaosblade
cves:
    - CVE-2023-47105
ghsas:
    - GHSA-723h-x37g-f8qm
references:
    - advisory: https://github.com/advisories/GHSA-723h-x37g-f8qm
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-47105
    - fix: https://github.com/chaosblade-io/chaosblade/commit/6bc73c31e14ea2b1bfc30f359e1fe952859d9adc
    - web: https://github.com/chaosblade-io/chaosblade/blob/0a07380c9899febb2b544132783b376b44226cca/exec/os/executor.go#L68
    - web: https://narrow-oatmeal-0c0.notion.site/ChaosBlade-Remote-Command-Execution-CVE-2023-47105-4f5459046488436caaec2bced6ff26d7
source:
    id: GHSA-723h-x37g-f8qm
    created: 2024-09-18T20:01:37.769254426Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/614080 mentions this issue: data/reports: add GO-2024-3133