CVE-2023-2868: Barracuda Networks ESG Appliance Improper Input Validation Vulnerability

First published: Wed May 24 2023(Updated: )

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Credit: cve-coordination@google.com cve-coordination@google.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-latest
• agent/type
• agent/title
• agent/description
• collector/the-register
• source/The Register
• alias/CVE-2023-5217
• alias/CVE-2023-4863
• alias/CVE-2023-41064
• alias/CVE-2023-2868
• alias/CVE-2023-7102
• alias/CVE-2022-41328
• alias/CVE-2023-20867
• alias/CVE-2023-34048
• zeroday/true
• agent/news-ai
• agent/weakness
• collector/nvd-index
• agent/software-canonical-lookup-request
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/first-publish-date
• exploited/true
• collector/cisa-known-exploited
• source/CISA
• agent/software-canonical-lookup
• agent/references
• agent/event
• agent/author
• agent/softwarecombine
• agent/tags
• collector/nvd-cve
• source/NVD
• agent/last-modified-date
• agent/trending
• vendor/barracuda
• canonical/barracuda email security gateway 300 firmware
• version/barracuda email security gateway 300 firmware/5.1.3.001
• version/barracuda email security gateway 300 firmware/9.2.0.006
• canonical/barracuda email security gateway 300
• canonical/barracuda email security gateway 400 firmware
• version/barracuda email security gateway 400 firmware/5.1.3.001
• version/barracuda email security gateway 400 firmware/9.2.0.006
• canonical/barracuda email security gateway 400
• canonical/barracuda email security gateway 600 firmware
• version/barracuda email security gateway 600 firmware/5.1.3.001
• version/barracuda email security gateway 600 firmware/9.2.0.006
• canonical/barracuda email security gateway 600
• canonical/barracuda email security gateway 800 firmware
• version/barracuda email security gateway 800 firmware/5.1.3.001
• version/barracuda email security gateway 800 firmware/9.2.0.006
• canonical/barracuda email security gateway 800
• canonical/barracuda email security gateway 900 firmware
• version/barracuda email security gateway 900 firmware/5.1.3.001
• version/barracuda email security gateway 900 firmware/9.2.0.006
• canonical/barracuda email security gateway 900
• vendor/barracuda networks
• canonical/barracuda networks email security gateway (esg) appliance