Lucene search

[email protected]CVE-2021-30070

HistoryAug 18, 2022 - 5:15 a.m.

CVE-2021-30070

2022-08-1805:15:07

[email protected]

web.nvd.nist.gov

cve-2021-30070

hestiacp

package installation

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.9%

JSON

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system’s package manager.

Affected configurations

NVD

Node

hestiacphestiacpRange<1.3.5

CPENameOperatorVersion
hestiacp:hestiacphestiacplt1.3.5

CPE	Name	Operator	Version
hestiacp:hestiacp	hestiacp	lt	1.3.5

References

github.com/hestiacp/hestiacp/commit/27556a9a43aeaf308b33be224c2e70f2011574e6

github.com/hestiacp/hestiacp/commit/9a1fccd37f2842fdf96ffb48895c4bfa9788c469

Social References

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.9%

JSON

Related for CVE-2021-30070

osv1 cvelist1 prion1 nvd1