The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.
References
Link | Resource |
---|---|
https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/ | Vendor Advisory |
https://docs.device42.com/auto-discovery/nmap-autodiscovery/ | Product Vendor Advisory |
https://docs.device42.com/auto-discovery/remote-collector-rc/ | Vendor Advisory |
https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/ | Vendor Advisory |
https://docs.device42.com/auto-discovery/nmap-autodiscovery/ | Product Vendor Advisory |
https://docs.device42.com/auto-discovery/remote-collector-rc/ | Vendor Advisory |
Configurations
History
21 Nov 2024, 06:26
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/ - Vendor Advisory | |
References | () https://docs.device42.com/auto-discovery/nmap-autodiscovery/ - Product, Vendor Advisory | |
References | () https://docs.device42.com/auto-discovery/remote-collector-rc/ - Vendor Advisory |
Information
Published : 2021-09-17 15:15
Updated : 2024-11-21 06:26
NVD link : CVE-2021-41316
Mitre link : CVE-2021-41316
CVE.ORG link : CVE-2021-41316
JSON object : View
Products Affected
device42
- device42
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')