CVE-2021-4326 Imperative Local Command Injection allows Activity Masking

2023-02-2215:21:06

Zowe

www.cve.org

vulnerability

local command injection

imperative framework

privileged actors

shell commands

plugin install

environment variables

zowe cli

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C/CR:L/MAV:L/MAC:L/MPR:L/MUI:N/MS:U/MC:L

EPSS

Percentile

13.3%

JSON

A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.

CNA Affected

[
  {
    "vendor": "Open Mainframe Project",
    "product": "Zowe",
    "versions": [
      {
        "version": "1.16.0",
        "status": "affected",
        "lessThan": "1.28.2",
        "versionType": "semver"
      },
      {
        "version": "2.0.0",
        "status": "affected",
        "lessThan": "2.5.0",
        "versionType": "semver"
      }
    ]
  }
]