Vulnerability Details : CVE-2021-30070
An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.
Products affected by CVE-2021-30070
- cpe:2.3:a:hestiacp:hestiacp:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-30070
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-30070
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2021-30070
-
https://github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469
Prevent install via CLI / API / WebGUI via command v-update-sys-hesti… · hestiacp/hestiacp@9a1fccd · GitHubPatch;Third Party Advisory
-
https://github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6
Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont… · hestiacp/hestiacp@27556a9 · GitHubPatch;Third Party Advisory
Jump to