An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
References
Link | Resource |
---|---|
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Caldera | Exploit Third Party Advisory |
https://github.com/mitre/caldera/releases | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-01-12T19:11:03
Updated: 2022-01-12T19:11:03
Reserved: 2021-10-18T00:00:00
Link: CVE-2021-42559
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-12T20:15:08.380
Modified: 2022-01-19T19:46:37.717
Link: CVE-2021-42559
JSON object: View
Redhat Information
No data.
CWE