CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-2868

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.901

EPSS Ranking 99.6%

CVSS Severity

CVSS v3 Score 9.4

Proposed Action

Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection.

Ransomware Campaign

Unknown

References

Products affected by CVE-2023-2868

Barracuda » Email Security Gateway 300 » Version: N/A

cpe:2.3:h:barracuda:email_security_gateway_300:-
Barracuda » Email Security Gateway 400 » Version: N/A

cpe:2.3:h:barracuda:email_security_gateway_400:-
Barracuda » Email Security Gateway 600 » Version: N/A

cpe:2.3:h:barracuda:email_security_gateway_600:-
Barracuda » Email Security Gateway 800 » Version: N/A

cpe:2.3:h:barracuda:email_security_gateway_800:-
Barracuda » Email Security Gateway 900 » Version: N/A

cpe:2.3:h:barracuda:email_security_gateway_900:-
Barracuda » Email Security Gateway 300 Firmware » Version: 5.1.3.001

cpe:2.3:o:barracuda:email_security_gateway_300_firmware:5.1.3.001
Barracuda » Email Security Gateway 300 Firmware » Version: 9.2.0.006

cpe:2.3:o:barracuda:email_security_gateway_300_firmware:9.2.0.006
Barracuda » Email Security Gateway 400 Firmware » Version: 5.1.3.001

cpe:2.3:o:barracuda:email_security_gateway_400_firmware:5.1.3.001
Barracuda » Email Security Gateway 400 Firmware » Version: 9.2.0.006

cpe:2.3:o:barracuda:email_security_gateway_400_firmware:9.2.0.006
Barracuda » Email Security Gateway 600 Firmware » Version: 5.1.3.001

cpe:2.3:o:barracuda:email_security_gateway_600_firmware:5.1.3.001
Barracuda » Email Security Gateway 600 Firmware » Version: 9.2.0.006

cpe:2.3:o:barracuda:email_security_gateway_600_firmware:9.2.0.006
Barracuda » Email Security Gateway 800 Firmware » Version: 5.1.3.001

cpe:2.3:o:barracuda:email_security_gateway_800_firmware:5.1.3.001
Barracuda » Email Security Gateway 800 Firmware » Version: 9.2.0.006

cpe:2.3:o:barracuda:email_security_gateway_800_firmware:9.2.0.006
Barracuda » Email Security Gateway 900 Firmware » Version: 5.1.3.001

cpe:2.3:o:barracuda:email_security_gateway_900_firmware:5.1.3.001
Barracuda » Email Security Gateway 900 Firmware » Version: 9.2.0.006

cpe:2.3:o:barracuda:email_security_gateway_900_firmware:9.2.0.006

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-2868

Products

Pricing

Contact Us