CVE-2018-18603 - OpenCVE

360 Total Security 3.5.0.1033 allows a Sandbox Escape via an "import os" statement, followed by os.system("CMD") or os.system("PowerShell"), within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
360totalsecurity	360 Total Security

Configuration 1 [-]

cpe:2.3:a:360totalsecurity:360_total_security:3.5.0.1033:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/151867
https://github.com/sandboxescape/360-3.5.0.1033-Sandbox-Escape-Exploit/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-10-23T16:00:00

Updated: 2024-08-05T11:15:59.853Z

Reserved: 2018-10-23T00:00:00

Link: CVE-2018-18603

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-10-23T16:29:00.407

Modified: 2024-08-05T12:15:18.320

Link: CVE-2018-18603

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-10-23T00:00:00", "descriptions": [{"lang": "en", "value": "360 Total Security 3.5.0.1033 allows a Sandbox Escape via an \"import os\" statement, followed by os.system(\"CMD\") or os.system(\"PowerShell\"), within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-24T17:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/sandboxescape/360-3.5.0.1033-Sandbox-Escape-Exploit/"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18603", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** 360 Total Security 3.5.0.1033 allows a Sandbox Escape via an \"import os\" statement, followed by os.system(\"CMD\") or os.system(\"PowerShell\"), within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sandboxescape/360-3.5.0.1033-Sandbox-Escape-Exploit/", "refsource": "MISC", "url": "https://github.com/sandboxescape/360-3.5.0.1033-Sandbox-Escape-Exploit/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:15:59.853Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sandboxescape/360-3.5.0.1033-Sandbox-Escape-Exploit/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18603", "datePublished": "2018-10-23T16:00:00", "dateReserved": "2018-10-23T00:00:00", "dateUpdated": "2024-08-05T11:15:59.853Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:360totalsecurity:360_total_security:3.5.0.1033:*:*:*:*:*:*:*", "matchCriteriaId": "8A1D5907-E59C-46F7-9181-14B800419423", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "360 Total Security 3.5.0.1033 allows a Sandbox Escape via an \"import os\" statement, followed by os.system(\"CMD\") or os.system(\"PowerShell\"), within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue"}, {"lang": "es", "value": "** EN DISPUTA ** 360 Total Security 3.5.0.1033 permite el escape del sandbox mediante una instrucci\u00f3n \"import os\", seguida por os.system (\"CMD\") u os.system(\"PowerShell\"), en un archivo .py. NOTA: la posici\u00f3n del fabricante fabricante es que esto no puede ser categorizado como una vulnerabilidad, aunque es un tema relacionado con la seguridad."}], "id": "CVE-2018-18603", "lastModified": "2024-08-05T12:15:18.320", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-23T16:29:00.407", "references": [{"source": "nvd@nist.gov", "tags": ["Third Party Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/151867"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/sandboxescape/360-3.5.0.1033-Sandbox-Escape-Exploit/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}