Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for getssl by ServerCo

    CVE-2026-10303 (GCVE-0-2026-10303)

    Vulnerability from nvd – Published: 2026-06-16 18:24 – Updated: 2026-06-17 15:18
    VLAI
    Title
    ServerCo getssl ACME shell script path injection
    Summary
    In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External control of file name or path
    Assigner
    Impacted products
    Vendor Product Version
    ServerCo getssl Affected: 0 , ≤ 2.49 (custom)
    Create a notification for this product.
    Date Public
    2026-06-16 18:20
    Credits
    remy Tod Beardsley of runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:17:32.277126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:18:11.930Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "getssl",
              "repo": "https://github.com/srvrco/getssl",
              "vendor": "ServerCo",
              "versions": [
                {
                  "lessThanOrEqual": "2.49",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "remy"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero"
            }
          ],
          "datePublic": "2026-06-16T18:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
                }
              ],
              "value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External control of file name or path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T18:24:43.712Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "mitigation"
              ],
              "url": "https://github.com/srvrco/getssl/pull/896"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2023-38198"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/srvrco/getssl/releases/tag/v2.50"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ServerCo getssl ACME shell script path injection",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-10303",
        "datePublished": "2026-06-16T18:24:43.712Z",
        "dateReserved": "2026-05-31T21:05:04.476Z",
        "dateUpdated": "2026-06-17T15:18:11.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10303 (GCVE-0-2026-10303)

    Vulnerability from cvelistv5 – Published: 2026-06-16 18:24 – Updated: 2026-06-17 15:18
    VLAI
    Title
    ServerCo getssl ACME shell script path injection
    Summary
    In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External control of file name or path
    Assigner
    Impacted products
    Vendor Product Version
    ServerCo getssl Affected: 0 , ≤ 2.49 (custom)
    Create a notification for this product.
    Date Public
    2026-06-16 18:20
    Credits
    remy Tod Beardsley of runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:17:32.277126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:18:11.930Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "getssl",
              "repo": "https://github.com/srvrco/getssl",
              "vendor": "ServerCo",
              "versions": [
                {
                  "lessThanOrEqual": "2.49",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "remy"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero"
            }
          ],
          "datePublic": "2026-06-16T18:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
                }
              ],
              "value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External control of file name or path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T18:24:43.712Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "mitigation"
              ],
              "url": "https://github.com/srvrco/getssl/pull/896"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2023-38198"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/srvrco/getssl/releases/tag/v2.50"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ServerCo getssl ACME shell script path injection",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-10303",
        "datePublished": "2026-06-16T18:24:43.712Z",
        "dateReserved": "2026-05-31T21:05:04.476Z",
        "dateUpdated": "2026-06-17T15:18:11.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }