CVE-2023-38198

acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.

Basic Information

CVE State: PUBLISHED
Reserved Date: July 13, 2023
Published Date: July 13, 2023
Last Updated: February 13, 2025
Vendor: n/a
Product: n/a
Description: acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2023-07-13 00:00:00 UTC) Source

References

https://github.com/acmesh-official/acme.sh/issues/4659 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys https://news.ycombinator.com/item?id=36252310 https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6 https://news.ycombinator.com/item?id=36254093 https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/ http://www.openwall.com/lists/oss-security/2023/07/13/1

Known Exploited Vulnerability Information

Source	Added Date
CVE	2023-07-13 00:00:00 UTC

Timeline

CVE ID Reserved

July 13, 2023
CVE Published to Public

July 13, 2023
Added to KEVIntel

July 13, 2023