CVE-2023-2868
Published on May 24, 2023

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Barracuda Networks ESG Appliance Improper Input Validation Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection.

The following remediation steps are recommended / required by June 16, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2023-2868 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2023-2868 has been classified to as a Command Injection vulnerability or weakness.


Products Associated with CVE-2023-2868

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-2868 are published in these products:

What versions are vulnerable to CVE-2023-2868?

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.