Vulnerability Details : CVE-2021-41316
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.
Products affected by CVE-2021-41316
- cpe:2.3:a:device42:device42:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41316
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41316
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.5
|
HIGH | AV:N/AC:L/Au:S/C:N/I:C/A:C |
8.0
|
9.2
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
2.8
|
5.2
|
NIST |
CWE ids for CVE-2021-41316
-
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-41316
-
https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/
Critical Fixes in 17.05.01 | The Official Device42 BlogVendor Advisory
-
https://docs.device42.com/auto-discovery/nmap-autodiscovery/
Nmap Autodiscovery - Device42 Documentation | Device42 DocumentationProduct;Vendor Advisory
-
https://docs.device42.com/auto-discovery/remote-collector-rc/
Remote Collector (RC) - Device42 Documentation | Device42 DocumentationVendor Advisory
Jump to