Login Sign Up

CVE-2023-1313

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to upload malicious files to the Cockpit CMS due to insufficient file type validation. It affects all users running Cockpit versions prior to 2.4.1, potentially leading to remote code execution or server compromise.

💻 Affected Systems

Products:
  • Cockpit CMS
Versions: All versions prior to 2.4.1
Operating Systems: Any OS running Cockpit
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations with file upload functionality enabled, which is common in CMS deployments.

📦 What is this software?

Cockpit by Agentejo

View all CVEs affecting Cockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

File upload leading to web shell deployment, allowing attackers to execute arbitrary commands on the server.

🟢

If Mitigated

File upload attempts are blocked or logged, with no successful exploitation due to proper file validation.

🌐 Internet-Facing: HIGH - Web applications with file upload functionality exposed to the internet are primary targets.
🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires file upload access but is straightforward once access is obtained. Public proof-of-concept exists in the bounty report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1

Vendor Advisory: https://github.com/cockpit-hq/cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592

Restart Required: No

Instructions:

1. Update Cockpit to version 2.4.1 or later. 2. Use composer update cockpit-hq/cockpit or download from GitHub. 3. Verify the update by checking the version.

🔧 Temporary Workarounds

Disable File Uploads

all

Temporarily disable file upload functionality in Cockpit configuration

Edit config/config.php and set 'upload' => false

Web Server File Restriction

linux

Configure web server to block upload of dangerous file types

For Apache: Add 'Deny from all' to upload directory .htaccess
For Nginx: location ~ \.(php|phtml|sh)$ { deny all; }

🧯 If You Can't Patch

  • Implement strict file type validation at the application level
  • Isolate the Cockpit instance in a restricted network segment

🔍 How to Verify

Check if Vulnerable:

Check Cockpit version in admin panel or via composer show cockpit-hq/cockpit

Check Version:

composer show cockpit-hq/cockpit | grep versions

Verify Fix Applied:

Verify version is 2.4.1 or later and test file upload with dangerous extensions

📡 Detection & Monitoring

Log Indicators:

  • File upload attempts with .php, .phtml, .sh extensions
  • Unusual file uploads to upload directories
  • Web server error logs showing blocked uploads

Network Indicators:

  • POST requests to upload endpoints with suspicious file types
  • Traffic to unexpected files in upload directories

SIEM Query:

source="web.log" (method="POST" AND uri="*/upload*" AND (file_ext="php" OR file_ext="phtml" OR file_ext="sh"))

📊 Metadata

CVE ID: CVE-2023-1313
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: March 10, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1313, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)