Japan Vulnerability NotesJVN:44033918JVN#44033918: Zeroshell vulnerable to OS command injection
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
0.956 High
EPSS
Percentile
99.4%
The web interface of Zeroshell, Linux distribution provided by Zeroshell.org, contains an OS command injection vulnerability (CWE-78).
Impact
Processing a crafted HTTP request may lead to an arbitrary OS command execution.
Solution
Stop using the product
The developer states that the affected product is no longer being developed and is End-of-support in 2021.
The developer recommends stop using the product.
Products Affected
- Zeroshell 3.9.3 and earlier
The reporter verified this vulnerability on 3.9.3.
It is unknown whether the issue is fixed or not on later versions.
See also [JPCERT/CC Addendum] section below.
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
0.956 High
EPSS
Percentile
99.4%