{"uuid": "21dff982-125a-4b11-a32d-22a203043f4d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-MM6V-68QP-F9FW", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/4172", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: GHSA-mm6v-68qp-f9fw\n\ud83d\udd25 CVSS Score: 9.8 (CVSS_V3)\n\ud83d\udd39 Description: ### Impact\n\nRemote code execution may be possible in web-accessible installations of Homarus in certain configurations.\n\n### Patches\n\nThe issue has been patched in `islandora/crayfish:4.1.0`\n\n### Workarounds\n\nThe exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus.\n\nConfigure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.\n\n### References\n\n- XBOW-024-071\n\ud83d\udccf Published: 2025-01-15T22:04:19Z\n\ud83d\udccf Modified: 2025-02-13T00:44:33Z\n\ud83d\udd17 References:\n1. https://github.com/Islandora/Crayfish/security/advisories/GHSA-mm6v-68qp-f9fw\n2. https://github.com/Islandora/Crayfish/commit/64cb4cec688928798cc40e6f0a0e863d7f69fd89\n3. https://github.com/Islandora/Crayfish", "creation_timestamp": "2025-02-13T01:08:08.000000Z"}