Lucene search

[email protected]CVE-2021-25094

HistoryApr 25, 2022 - 4:16 p.m.

CVE-2021-25094

2022-04-2516:16:07

CWE-306

[email protected]

web.nvd.nist.gov

In Wild

cve-2021-25094

tatsu

wordpress

plugin

unauthenticated upload

zip extraction

race condition

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.122 Low

EPSS

Percentile

95.4%

JSON

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress’s upload directory. By adding a PHP shell with a filename starting with a dot “.”, this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

Affected configurations

Vulners

NVD

Node

brandexponentstatsuRange<3.3.12

VendorProductVersionCPE
brandexponentstatsu*cpe:2.3:a:brandexponents:tatsu:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
brandexponents	tatsu	*	cpe:2.3:a:brandexponents:tatsu::::::::

CNA Affected

[
  {
    "product": "Tatsu",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "3.3.12",
        "status": "affected",
        "version": "3.3.12",
        "versionType": "custom"
      }
    ]
  }
]