← Back

CVE-2023-2868

nvd nist
Published: May 24, 2023Modified: Oct 24, 2025CISA KEV

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Affected (5)

Barracuda
5 products
Email Security Gateway 300 Firmware
Email Security Gateway 400 Firmware
Email Security Gateway 600 Firmware
Email Security Gateway 800 Firmware
Email Security Gateway 900 Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Email Security Gateway 300 Firmware
From 5.1.3.001 to 9.2.0.006
Running on/withPlatform Versions
Barracuda
Email Security Gateway 300
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Email Security Gateway 400 Firmware
From 5.1.3.001 to 9.2.0.006
Running on/withPlatform Versions
Barracuda
Email Security Gateway 400
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Email Security Gateway 600 Firmware
From 5.1.3.001 to 9.2.0.006
Running on/withPlatform Versions
Barracuda
Email Security Gateway 600
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Email Security Gateway 800 Firmware
From 5.1.3.001 to 9.2.0.006
Running on/withPlatform Versions
Barracuda
Email Security Gateway 800
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Email Security Gateway 900 Firmware
From 5.1.3.001 to 9.2.0.006
Running on/withPlatform Versions
Barracuda
Email Security Gateway 900
All versions

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (5)

Source: cve-coordination@google.com
Vendor Advisory
Source: cve-coordination@google.com
MitigationVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.