Vulnerability Details : CVE-2021-41316
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.
Exploit prediction scoring system (EPSS) score for CVE-2021-41316
Probability of exploitation activity in the next 30 days: 0.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 43 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-41316
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
8.5
|
HIGH | AV:N/AC:L/Au:S/C:N/I:C/A:C |
8.0
|
9.2
|
NIST |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
2.8
|
5.2
|
NIST |
CWE ids for CVE-2021-41316
-
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-41316
-
https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/
Critical Fixes in 17.05.01 | The Official Device42 BlogVendor Advisory
-
https://docs.device42.com/auto-discovery/nmap-autodiscovery/
Nmap Autodiscovery - Device42 Documentation | Device42 DocumentationProduct;Vendor Advisory
-
https://docs.device42.com/auto-discovery/remote-collector-rc/
Remote Collector (RC) - Device42 Documentation | Device42 DocumentationVendor Advisory
Products affected by CVE-2021-41316
- cpe:2.3:a:device42:device42:*:*:*:*:*:*:*:*