The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.
References
Link | Resource |
---|---|
https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/ | Vendor Advisory |
https://docs.device42.com/auto-discovery/nmap-autodiscovery/ | Product Vendor Advisory |
https://docs.device42.com/auto-discovery/remote-collector-rc/ | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-09-17T14:45:53
Updated: 2021-09-17T14:45:53
Reserved: 2021-09-17T00:00:00
Link: CVE-2021-41316
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-09-17T15:15:07.957
Modified: 2021-09-30T18:23:27.640
Link: CVE-2021-41316
JSON object: View
Redhat Information
No data.
CWE