CVE-2021-30070 - OpenCVE

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hestiacp	Hestiacp

Configuration 1 [-]

cpe:2.3:a:hestiacp:hestiacp:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6	Patch Third Party Advisory
https://github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-08-18T04:16:34

Updated: 2022-08-18T04:16:19

Reserved: 2021-04-02T00:00:00

Link: CVE-2021-30070

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-18T05:15:07.167

Modified: 2022-08-19T16:41:09.317

Link: CVE-2021-30070

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-18T04:16:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-30070", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469", "refsource": "MISC", "url": "https://github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469"}, {"name": "https://github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6", "refsource": "MISC", "url": "https://github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-30070", "datePublished": "2022-08-18T04:16:34", "dateReserved": "2021-04-02T00:00:00", "dateUpdated": "2022-08-18T04:16:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}