Affected module/version
eladmin-system – deployment module. Observed on current main (DeployController / DeployServiceImpl).
Vulnerability detail
- DeployServiceImpl.startServer uses resources.getApp().getStartScript() directly and passes it to ExecuteShellUtil.execute(...) over SSH:
-
The service does not re‑load the App by id or validate the script; any string in the request body becomes a shell command executed on every associated server.
-
DeployController only checks
@PreAuthorize("@el.check('deploy:edit')");
-
with a stolen/abused token or CSRF against an authenticated admin, arbitrary commands can be run on all configured target servers (or localhost if added as a target).
Impact
authenticated RCE on all deployment targets (including potentially the app host if configured). An attacker with API access can execute arbitrary OS commands without modifying stored configs.
Repro steps
Navigate to the Application Management module, edit an application, and enter a command used to verify the vulnerability in the Start Script field. Save the changes.
The current directory structure of the root directory on the remote server is as follows.
In the Deployment Management page, select the target server and click Start. The malicious command will then be executed.
The execution result is shown below.
Root cause
Business logic trusts client-supplied app.startScript (and similarly deployScript) and executes it; no server-side fetch by appId, no whitelist, no normalization.
Affected module/version
eladmin-system – deployment module. Observed on current main (DeployController / DeployServiceImpl).
Vulnerability detail
The service does not re‑load the App by id or validate the script; any string in the request body becomes a shell command executed on every associated server.
DeployController only checks
with a stolen/abused token or CSRF against an authenticated admin, arbitrary commands can be run on all configured target servers (or localhost if added as a target).
Impact
authenticated RCE on all deployment targets (including potentially the app host if configured). An attacker with API access can execute arbitrary OS commands without modifying stored configs.
Repro steps
Navigate to the Application Management module, edit an application, and enter a command used to verify the vulnerability in the Start Script field. Save the changes.
The current directory structure of the root directory on the remote server is as follows.
In the Deployment Management page, select the target server and click Start. The malicious command will then be executed.
The execution result is shown below.
Root cause
Business logic trusts client-supplied app.startScript (and similarly deployScript) and executes it; no server-side fetch by appId, no whitelist, no normalization.