CVE-2021-4406 - OpenCVE

An administrator is able to execute commands as root via the alerts management dialog

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Osnexus	Quantastor

Configuration 1 [-]

cpe:2.3:a:osnexus:quantastor:*:*:*:*:*:*:*:*

References

Link	Resource
https://csirt.divd.nl/CVE-2021-4406	Third Party Advisory
https://www.divd.nl/DIVD-2021-00020	Broken Link
https://www.osnexus.com/products/software-defined-storage	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: DIVD

Published: 2023-07-10T06:29:48.698Z

Updated: 2023-07-10T06:29:48.698Z

Reserved: 2023-07-05T15:24:56.556Z

Link: CVE-2021-4406

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-10T16:15:47.747

Modified: 2023-07-13T18:52:57.930

Link: CVE-2021-4406

JSON object: View

Redhat Information

No data.

CWE

CWE-77

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2021-4406", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "state": "PUBLISHED", "assignerShortName": "DIVD", "dateReserved": "2023-07-05T15:24:56.556Z", "datePublished": "2023-07-10T06:29:48.698Z", "dateUpdated": "2023-07-10T06:29:48.698Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2023-07-10T06:29:48.698Z"}, "title": "Authenticated Remote COmmand Execution as root in OSNEXUS QuantaStor version 6.0.0.355 and others", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "OSNEXUS", "product": "QuantaStor", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "6.0.0.355", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "An administrator is able to execute commands as root via the alerts management dialog", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An administrator is able to execute commands as root via the alerts management dialog"}]}], "references": [{"url": "https://www.divd.nl/DIVD-2021-00020", "tags": ["third-party-advisory"]}, {"url": "https://www.osnexus.com/products/software-defined-storage", "tags": ["product"]}, {"url": "https://csirt.divd.nl/CVE-2021-4406", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Upgrade to the latest version of OSNEXUS QuantaStor and hope it is fixed", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade to the latest version of OSNEXUS QuantaStor and hope it is fixed"}]}], "credits": [{"lang": "en", "value": "Wietse Boonstra", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}