Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for email_security_gateway_600_firmware by barracuda

    CVE-2023-7102 (GCVE-0-2023-7102)

    Vulnerability from nvd – Published: 2023-12-24 21:47 – Updated: 2024-08-02 08:50
    VLAI
    Title
    Remote Code Execution (RCE) Vulnerability
    Summary
    Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
    Severity
    No CVSS data available.
    CWE
    • CWE-1104 - Use of Unmaintained Third Party Components
    Assigner
    Impacted products
    Vendor Product Version
    Barracuda Networks Inc. Barracuda ESG Appliance Affected: 5.1.3.001 , ≤ 9.2.1.001 (custom)
    Create a notification for this product.
    Credits
    Barracuda Networks Inc. - https://www.barracuda.com/ Barracuda Networks Inc. - https://www.barracuda.com/ Barracuda Networks Inc. - https://www.barracuda.com/
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:08.291Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cve.org/CVERecord?id=CVE-2023-7101"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://metacpan.org/dist/Spreadsheet-ParseExcel"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Barracuda ESG Appliance",
              "vendor": "Barracuda Networks Inc.",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "Patched in all active versions by security update removing the vulnerable logic.",
                      "status": "affected"
                    }
                  ],
                  "lessThanOrEqual": "9.2.1.001",
                  "status": "affected",
                  "version": "5.1.3.001",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Barracuda Networks Inc. - https://www.barracuda.com/"
            },
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Barracuda Networks Inc. - https://www.barracuda.com/"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Barracuda Networks Inc. - https://www.barracuda.com/"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.\u003cp\u003eThis issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.\u003c/p\u003e"
                }
              ],
              "value": "Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137: Parameter Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1104",
                  "description": "CWE-1104: Use of Unmaintained Third Party Components",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-26T19:23:33.832Z",
            "orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
            "shortName": "Mandiant"
          },
          "references": [
            {
              "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
            },
            {
              "url": "https://www.cve.org/CVERecord?id=CVE-2023-7101"
            },
            {
              "url": "https://metacpan.org/dist/Spreadsheet-ParseExcel"
            },
            {
              "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
            },
            {
              "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
            },
            {
              "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code Execution (RCE) Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
        "assignerShortName": "Mandiant",
        "cveId": "CVE-2023-7102",
        "datePublished": "2023-12-24T21:47:20.453Z",
        "dateReserved": "2023-12-24T17:32:25.423Z",
        "dateUpdated": "2024-08-02T08:50:08.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2868 (GCVE-0-2023-2868)

    Vulnerability from nvd – Published: 2023-05-24 18:00 – Updated: 2025-10-21 23:05
    VLAI CISA KEVIntel
    Title
    Remote Code injection in Barracuda Email Security Gateway
    Summary
    A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Barracuda Barracuda Email Security Gateway Affected: 5.1.3.001 , < 9.2.0.006 (custom)
    Create a notification for this product.
    Date Public
    2023-05-23 10:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:06.053Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://status.barracuda.com/incidents/34kx82j5n4q9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2868",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T15:36:08.898946Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2023-05-26",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:47.195Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2023-05-26T00:00:00.000Z",
                "value": "CVE-2023-2868 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Barracuda Email Security Gateway",
              "vendor": "Barracuda",
              "versions": [
                {
                  "lessThan": "9.2.0.006",
                  "status": "affected",
                  "version": "5.1.3.001",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-05-23T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives).\u0026nbsp;The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl\u0027s qx operator with the privileges of the Email Security Gateway product.\u0026nbsp;This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances."
                }
              ],
              "value": "A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives).\u00a0The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl\u0027s qx operator with the privileges of the Email Security Gateway product.\u00a0This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-253",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-253 Remote Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-24T18:00:52.360Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
            },
            {
              "url": "https://status.barracuda.com/incidents/34kx82j5n4q9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code injection in Barracuda Email Security Gateway",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2023-2868",
        "datePublished": "2023-05-24T18:00:52.360Z",
        "dateReserved": "2023-05-24T14:24:16.482Z",
        "dateUpdated": "2025-10-21T23:05:47.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-7102 (GCVE-0-2023-7102)

    Vulnerability from cvelistv5 – Published: 2023-12-24 21:47 – Updated: 2024-08-02 08:50
    VLAI
    Title
    Remote Code Execution (RCE) Vulnerability
    Summary
    Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
    Severity
    No CVSS data available.
    CWE
    • CWE-1104 - Use of Unmaintained Third Party Components
    Assigner
    Impacted products
    Vendor Product Version
    Barracuda Networks Inc. Barracuda ESG Appliance Affected: 5.1.3.001 , ≤ 9.2.1.001 (custom)
    Create a notification for this product.
    Credits
    Barracuda Networks Inc. - https://www.barracuda.com/ Barracuda Networks Inc. - https://www.barracuda.com/ Barracuda Networks Inc. - https://www.barracuda.com/
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:08.291Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cve.org/CVERecord?id=CVE-2023-7101"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://metacpan.org/dist/Spreadsheet-ParseExcel"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Barracuda ESG Appliance",
              "vendor": "Barracuda Networks Inc.",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "Patched in all active versions by security update removing the vulnerable logic.",
                      "status": "affected"
                    }
                  ],
                  "lessThanOrEqual": "9.2.1.001",
                  "status": "affected",
                  "version": "5.1.3.001",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Barracuda Networks Inc. - https://www.barracuda.com/"
            },
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Barracuda Networks Inc. - https://www.barracuda.com/"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Barracuda Networks Inc. - https://www.barracuda.com/"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.\u003cp\u003eThis issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.\u003c/p\u003e"
                }
              ],
              "value": "Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137: Parameter Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1104",
                  "description": "CWE-1104: Use of Unmaintained Third Party Components",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-26T19:23:33.832Z",
            "orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
            "shortName": "Mandiant"
          },
          "references": [
            {
              "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
            },
            {
              "url": "https://www.cve.org/CVERecord?id=CVE-2023-7101"
            },
            {
              "url": "https://metacpan.org/dist/Spreadsheet-ParseExcel"
            },
            {
              "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
            },
            {
              "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
            },
            {
              "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code Execution (RCE) Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
        "assignerShortName": "Mandiant",
        "cveId": "CVE-2023-7102",
        "datePublished": "2023-12-24T21:47:20.453Z",
        "dateReserved": "2023-12-24T17:32:25.423Z",
        "dateUpdated": "2024-08-02T08:50:08.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2868 (GCVE-0-2023-2868)

    Vulnerability from cvelistv5 – Published: 2023-05-24 18:00 – Updated: 2025-10-21 23:05
    VLAI CISA KEVIntel
    Title
    Remote Code injection in Barracuda Email Security Gateway
    Summary
    A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Barracuda Barracuda Email Security Gateway Affected: 5.1.3.001 , < 9.2.0.006 (custom)
    Create a notification for this product.
    Date Public
    2023-05-23 10:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:06.053Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://status.barracuda.com/incidents/34kx82j5n4q9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2868",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-16T15:36:08.898946Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2023-05-26",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:47.195Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2023-05-26T00:00:00.000Z",
                "value": "CVE-2023-2868 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Barracuda Email Security Gateway",
              "vendor": "Barracuda",
              "versions": [
                {
                  "lessThan": "9.2.0.006",
                  "status": "affected",
                  "version": "5.1.3.001",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-05-23T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives).\u0026nbsp;The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl\u0027s qx operator with the privileges of the Email Security Gateway product.\u0026nbsp;This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances."
                }
              ],
              "value": "A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives).\u00a0The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl\u0027s qx operator with the privileges of the Email Security Gateway product.\u00a0This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-253",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-253 Remote Code Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-24T18:00:52.360Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://www.barracuda.com/company/legal/esg-vulnerability"
            },
            {
              "url": "https://status.barracuda.com/incidents/34kx82j5n4q9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code injection in Barracuda Email Security Gateway",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2023-2868",
        "datePublished": "2023-05-24T18:00:52.360Z",
        "dateReserved": "2023-05-24T14:24:16.482Z",
        "dateUpdated": "2025-10-21T23:05:47.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }