Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
The vulnerability stems from improper handling of input data sent to the `/convert` endpoint of the Homarus microservice, which exposes FFmpeg as a network service. User input is interpolated directly into command-line invocation (CLI interpolation) without adequate validation or sanitization, corresponding to CWE-150 and CWE-157 classifications. An attacker can craft an HTTP request containing a malicious payload that will be executed as a system command on the server side. Risk is significantly limited when the microservice is not directly accessible from the Internet or when the authorization mechanism properly rejects unauthenticated requests before interpolation occurs.
An attacker can gain full control over the system running Homarus, including the ability to read and modify data and compromise service availability (complete CIA triad). In a scenario without authentication, the vulnerability is remotely exploitable by any network attacker.
The package should be updated to version islandora/crayfish:4.1.0, in which the vulnerability has been fixed. As a workaround, access to Homarus from the Internet should be restricted at the network/firewall level, and Crayfish should be configured to require stronger authentication so that requests with invalid Authorization headers are rejected before the vulnerable CLI interpolation occurs.
The Crayfish package (islandora/crayfish) in versions prior to 4.1.0, particularly installations where the Homarus microservice is directly accessible from the Internet.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H