Lucene search

MitreCVELIST:CVE-2021-26471

HistoryJun 08, 2021 - 6:36 p.m.

CVE-2021-26471 Unauthenticated remote command execution in Vembu products

2021-06-0818:36:14

mitre

www.cve.org

cve-2021-26471

vembubdr

vembuoffsitedr

http api

remote command execution

shell commands

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.003

Percentile

68.5%

JSON

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands.

References

csirt.divd.nl/2021/05/11/Vembu-zero-days/

csirt.divd.nl/cases/DIVD-2020-00011/

csirt.divd.nl/cves/CVE-2021-26471/

www.wbsec.nl/vembu

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.003

Percentile

68.5%

JSON

Related for CVELIST:CVE-2021-26471