CVE-2023-32637
Publication date 25 July 2023
Last updated 11 February 2026
Ubuntu priority
Description
GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
Read the notes from the security team
Why is this CVE high priority?
This has a high priority because it is a vulnerability that allows a remote attacker to execute code in a machine, and it looks to be easily exploitable given that it involves regular functionalities provided by the application.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| gbrowse | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Notes
ccdm94
this has likely been fixed in all 2.x versions.
john-breton
Turns out there is a file validation mechanism in 2.54, which means files with a dangerous types are not accepted. Ubuntu is therefore completely unaffected
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |