CVE-2021-31581 - OpenCVE

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Akkadianlabs	Provisioning Manager Ova Appliance

Configuration 1 [-]

OR	cpe:2.3:a:akkadianlabs:ova_appliance::::::::
	cpe:2.3:a:akkadianlabs:provisioning_manager::::::::
	cpe:2.3:a:akkadianlabs:provisioning_manager::::::::

References

Link	Resource
https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: rapid7

Published: 2021-07-22T18:27:19

Updated: 2021-07-22T18:27:19

Reserved: 2021-04-22T00:00:00

Link: CVE-2021-31581

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-07-22T19:15:08.953

Modified: 2021-08-04T01:57:55.913

Link: CVE-2021-31581

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Provisioning Manager Engine (PME)", "vendor": "Akkadian", "versions": [{"lessThanOrEqual": "4.50.18", "status": "affected", "version": "4.50.18", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Cale Black, Ryan Villarreal, and Jonathan Peterson of Rapid7"}], "descriptions": [{"lang": "en", "value": "The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-22T18:27:19", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/"}], "source": {"discovery": "EXTERNAL"}, "title": "Akkadian Provisioning Manager Engine (PME) Shell Escape via 'vi' editor interface", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "ID": "CVE-2021-31581", "STATE": "PUBLIC", "TITLE": "Akkadian Provisioning Manager Engine (PME) Shell Escape via 'vi' editor interface"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Provisioning Manager Engine (PME)", "version": {"version_data": [{"version_affected": "<=", "version_name": "4.50.18", "version_value": "4.50.18"}]}}]}, "vendor_name": "Akkadian"}]}}, "credit": [{"lang": "eng", "value": "Cale Black, Ryan Villarreal, and Jonathan Peterson of Rapid7"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later)."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269 Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/", "refsource": "MISC", "url": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2021-31581", "datePublished": "2021-07-22T18:27:19", "dateReserved": "2021-04-22T00:00:00", "dateUpdated": "2021-07-22T18:27:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:akkadianlabs:ova_appliance:*:*:*:*:*:*:*:*", "matchCriteriaId": "4827961D-5C4A-4C9E-BD22-65CA440071A6", "versionEndExcluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:akkadianlabs:provisioning_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "339F2068-073C-416D-B5E5-F1A468FE8904", "versionEndExcluding": "3.3.0.314-4a349e0", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:akkadianlabs:provisioning_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D08EC19B-0A36-4D9A-9894-FB41F8414CB6", "versionEndExcluding": "5.0.2", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later)."}, {"lang": "es", "value": "El shell restringido proporcionado por Akkadian Provisioning Manager Engine (PME) puede ser escapado al abusar del comando \"Edit MySQL Configuration\". Este comando lanza una interfaz de editor vi est\u00e1ndar que puede entonces ser escapada. Este problema fue resuelto en Akkadian OVA appliance versiones 3.0 (y posteriores), Akkadian Provisioning Manager versiones 5.0.2 (y posteriores), and Akkadian Appliance Manager versiones 3.3.0.314-4a349e0 (y posteriores)"}], "id": "CVE-2021-31581", "lastModified": "2021-08-04T01:57:55.913", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 5.8, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2021-07-22T19:15:08.953", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "cve@rapid7.com", "type": "Secondary"}]}