CVE-2021-31580

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be bypassed by switching the OpenSSH channel from `shell` to `exec` and providing the ssh client a single execution parameter. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:akkadianlabs:ova_appliance::::::::
	cpe:2.3:a:akkadianlabs:provisioning_manager::::::::
	cpe:2.3:a:akkadianlabs:provisioning_manager::::::::

History

No history.

Information

Published : 2021-07-22 19:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-31580

Mitre link : CVE-2021-31580

CVE.ORG link : CVE-2021-31580

JSON object : View

Products Affected

akkadianlabs

provisioning_manager
ova_appliance

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2021-31580", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2021-07-22T19:15:08.883", "references": [{"url": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@rapid7.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be bypassed by switching the OpenSSH channel from `shell` to `exec` and providing the ssh client a single execution parameter. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later)."}, {"lang": "es", "value": "El shell restringido proporcionado por Akkadian Provisioning Manager Engine (PME) puede ser omitido cambiando el canal OpenSSH de \"shell\" a \"exec\" y proporcionando al cliente ssh un \u00fanico par\u00e1metro de ejecuci\u00f3n. Este problema fue resuelto en Akkadian OVA appliance versiones 3.0 (y posteriores), Akkadian Provisioning Manager versiones 5.0.2 (y posteriores), and Akkadian Appliance Manager versiones 3.3.0.314-4a349e0 (y posteriores)"}], "lastModified": "2021-08-09T18:11:27.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:akkadianlabs:ova_appliance:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4827961D-5C4A-4C9E-BD22-65CA440071A6", "versionEndExcluding": "3.0"}, {"criteria": "cpe:2.3:a:akkadianlabs:provisioning_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "339F2068-073C-416D-B5E5-F1A468FE8904", "versionEndExcluding": "3.3.0.314-4a349e0", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:akkadianlabs:provisioning_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D08EC19B-0A36-4D9A-9894-FB41F8414CB6", "versionEndExcluding": "5.0.2", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@rapid7.com"}