How severe is CVE-2023-28102?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2023-28102?

This is classified as CWE-78, which is a common weakness in software security.

CVE-2023-28102 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

discordrb is an implementation of the Discord API using Ruby. In discordrb before commit `91e13043ffa` the `encoder.rb` file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library is not directly exploitable: the exploit requires that some client of the library calls the vulnerable method with user input. However, if unsafe input reaches the library method, then an attacker can execute arbitrary shell commands on the host machine. Full impact will depend on the permissions of the process running the `discordrb` library and will likely not be total system access. This issue has been addressed in code, but a new release of the `discordrb` gem has not been uploaded to rubygems. This issue is also tracked as `GHSL-2022-094`.

Related Vulnerabilities

CVE-2020-15121

CRITICAL

CVSS:9.6(Critical)

In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger t...

CWE-782020

CVE-2020-15272

CRITICAL

CVSS:9.6(Critical)

In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to ...

CWE-782020

CVE-2022-21178

CRITICAL

CVSS:9.6(Critical)

An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary comman...

CWE-782022

CVE-2022-22140

CRITICAL

CVSS:9.6(Critical)

An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command e...

CWE-782022

CVE-2023-3974

CRITICAL

CVSS:9.6(Critical)

OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

CWE-782023

CVE-2023-46117

CRITICAL

CVSS:9.6(Critical)

reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. A vulnerability has been identified in r...

CWE-782023