CVE-2019-13623

HIGH

NSA Ghidra <9.1 - Path Traversal

Title source: llm

Description

In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis result is archived for sharing with other persons. To achieve arbitrary code execution, one approach is to overwrite some critical Ghidra modules, e.g., the decompile module.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Etienne Lacoche · pythonlocallinux

https://www.exploit-db.com/exploits/47231

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://github.com/NationalSecurityAgency/ghidra/issues/789

[Exploit, Third Party Advisory] http://blog.fxiao.me/ghidra/

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Execution.html

[Various Sources] https://ghidra-sre.org/releaseNotes_9.1_final.html

Scores

CVSS v3 7.8

EPSS 0.0410

EPSS Percentile 88.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

nsa/ghidra < 9.0.4

Published Jul 17, 2019

Tracked Since Feb 18, 2026