CVE-2021-28398 - OpenCVE

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Osgeo	Geonetwork

Configuration 1 [-]

OR	cpe:2.3:a:osgeo:geonetwork::::::::
	cpe:2.3:a:osgeo:geonetwork::::::::
	cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1::::::
	cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2::::::

References

Link	Resource
https://geonetwork-opensource.org/	Product
https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html	Patch Release Notes Vendor Advisory
https://github.com/geonetwork/core-geonetwork	Third Party Advisory
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf	Mitigation Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-05T16:09:29

Updated: 2022-09-05T16:09:29

Reserved: 2021-03-15T00:00:00

Link: CVE-2021-28398

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-05T17:15:19.083

Modified: 2022-10-01T02:18:23.047

Link: CVE-2021-28398

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-05T16:09:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://geonetwork-opensource.org/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/geonetwork/core-geonetwork"}, {"tags": ["x_refsource_MISC"], "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://geonetwork-opensource.org/", "refsource": "MISC", "url": "https://geonetwork-opensource.org/"}, {"name": "https://github.com/geonetwork/core-geonetwork", "refsource": "MISC", "url": "https://github.com/geonetwork/core-geonetwork"}, {"name": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html", "refsource": "MISC", "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf", "refsource": "CONFIRM", "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28398", "datePublished": "2022-09-05T16:09:29", "dateReserved": "2021-03-15T00:00:00", "dateUpdated": "2022-09-05T16:09:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "1299B47E-8561-47D5-BF7B-2E33CC71BF9F", "versionEndExcluding": "3.12.0", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "5959BA61-0F46-4F25-8AD7-3AF29CEDF3F8", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "58A83C77-BABD-4DE5-BEC9-30798C3CB6B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "58DC7012-9FE1-4A16-9807-885939EEA36E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}, {"lang": "es", "value": "Un atacante privilegiado en GeoNetwork versiones anteriores a 3.12.0 y versiones 4.x anteriores a 4.0.4, puede usar el script previo del recolector de directorios para ejecutar comandos arbitrarios del Sistema Operativo de forma remota en la infraestructura de alojamiento. Para llevarlo a cabo es requerida una cuenta de usuario administrador o de administrador. Esto ocurre en el m\u00e9todo runBeforeScript en harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. La primera versi\u00f3n afectada es la 3.4.0"}], "id": "CVE-2021-28398", "lastModified": "2022-10-01T02:18:23.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-05T17:15:19.083", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://geonetwork-opensource.org/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/geonetwork/core-geonetwork"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}