CVE-2023-47105

HIGH EXPLOITED NUCLEI

chaosblade 0.3-1.7.3 - Unauthenticated OS Command Injection via cmd Parameter

Title source: llm

Exploitation Summary

CVE-2023-47105 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication.

Nuclei Templates (1)

Chaosblade < 1.7.4 - Remote Code Execution

HIGHVERIFIEDby s4e-io

References (2)

Core 2

Core References

Various Sources

https://github.com/chaosblade-io/chaosblade/blob/0a07380c9899febb2b544132783b376b44226cca/exec/os/executor.go#L68

View Writeup ZIP pw:eip

Various Sources

https://narrow-oatmeal-0c0.notion.site/ChaosBlade-Remote-Command-Execution-CVE-2023-47105-4f5459046488436caaec2bced6ff26d7

Scores

CVSS v3 8.6

EPSS 0.0160

EPSS Percentile 72.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-06-08

CWE

CWE-78

Status published

Products (1)

chaosblade-io/chaosblade 0.0.3 - 1.7.4Go

Published Sep 18, 2024

Tracked Since Feb 18, 2026