CVE-2021-22502 : Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OB

Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.

Published 2021-02-08 22:15:13

Updated 2025-03-12 20:57:21

Source OpenText

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2021-22502

Microfocus » Operation Bridge Reporter » Version: 10.40
cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*
Matching versions

CVE-2021-22502 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Micro Focus Operation Bridge Report (OBR) contains an unspecified vulnerability that allows for remote code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2021-22502

Added on 2021-11-03 Action due date 2021-11-17

Exploit prediction scoring system (EPSS) score for CVE-2021-22502

EPSS FAQ

93.98%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-22502

Micro Focus Operations Bridge Reporter Unauthenticated Command Injection

Disclosure Date: 2021-02-09

First seen: 2021-04-30

exploit/linux/http/microfocus_obr_cmd_injection

This module exploits a command injection vulnerability on *login* (yes, you read that right) that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It's a straight up command injection, with little escaping required and it works before

More information

CVSS scores for CVE-2021-22502

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-06
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-22502

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2021-22502

https://www.zerodayinitiative.com/advisories/ZDI-21-153/

ZDI-21-153 | Zero Day Initiative
Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.html

Micro Focus Operations Bridge Reporter Unauthenticated Command Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://softwaresupport.softwaregrp.com/doc/KM03775947

MySupport - Micro Focus Software Support
Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-154/

ZDI-21-154 | Zero Day Initiative
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2021-22502