CVE-2023-31039

CVE-2023-31039: ServerOptions.pid_file may cause arbitrary code execution

Severity: Important

Affected Versions: Apache bRPC 0.9.0 before 1.5.0

Description: Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via ServerOptions::pid_file. An attacker that can influence the ServerOptions pid_file parameter with which the bRPC server is started can execute arbitrary code with the permissions of the bRPC process.

Solution:

Required Configurations:

  • set brpc::ServerOptions::pid_file from user input

Work Arounds:

References:

  1. https://brpc.apache.org
  2. https://www.cve.org/CVERecord?id=CVE-2023-31039

Last modified November 3, 2023: Release bRPC 1.7.0 (#164) (c91a354)