Movable Type XMLRPC API vulnerable to command injection


Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.

Osaka University of Economics reported this vulnerability to Six Apart Ltd. and coordinated. Six Apart Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.

And almost at the same time, SHIGA TAKUMA of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with Six Apart Ltd. under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Six Apart, Ltd.
  • Movable Type 7 r.5202 and earlier (Movable Type 7 Series)
  • Movable Type 6.8.6 and earlier (Movable Type 6 Series)
  • Movable Type Advanced 6.8.6 and earlier (Movable Type Advanced 6 Series)
  • Movable Type Advanced 7 r.5202 and earlier (Movable Type Advanced 7 Series)
  • Movable Type Premium 1.52 and earlier
  • Movable Type Premium Advanced 1.52 and earlier

The developer states that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.

An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:
* Movable Type 7 r.5301 (Movable Type 7 Series)
* Movable Type Advanced 7 r.5301 (Movable Type Advanced 7 Series)
* Movable Type 6.8.7 (Movable Type 6 Series)
* Movable Type Advanced 6.8.7 (Movable Type Advanced 6 Series)
* Movable Type Premium 1.53
* Movable Type Premium Advanced 1.53

[Apply the workaround]
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying the following mitigation to the products.
* Disabe XMLRPC API function of Movable Type
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-38078

  1. JVN : JVN#57728859
  2. National Vulnerability Database (NVD) : CVE-2022-38078
  4. JPCERT : Alert Regarding Vulnerability in Movable Type XMLRPC API
Revision History

  • [2022/08/24]
      Web page was published
  • [2024/06/13]
      References : Content was added