Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2021-41282
HistoryMar 01, 2022 - 11:15 p.m.

CVE-2021-41282

2022-03-0123:15:08
CWE-74
[email protected]
web.nvd.nist.gov
6
pfsense
2.5.2
diag_routes.php
sed
data injection
netstat utility
sed utility
command injection
escapeshellarg
arbitrary file
security vulnerability

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.8%

JSON

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Affected configurations

Nvd
Node
pfsensepfsenseMatch2.5.2
VendorProductVersionCPE
pfsensepfsense2.5.2cpe:2.3:a:pfsense:pfsense:2.5.2:*:*:*:*:*:*:*

Related

prion 1
zdt 1
checkpoint_advisories 1
osv 1
packetstorm 1
cvelist 1
nuclei 1
metasploit 1
cve 1
rapid7blog 1
prion
prion
Command injection
2022-03-01 23:15:00
zdt
zdt
pfSense 2.5.2 Shell Upload Exploit
2022-03-04 00:00:00
checkpoint_advisories
checkpoint_advisories
pfSense Remote Code Execution (CVE-2021-41282)
2022-05-12 00:00:00
osv
osv
CVE-2021-41282
2022-03-01 23:15:08
packetstorm
packetstorm
pfSense 2.5.2 Shell Upload
2022-03-04 00:00:00
cvelist
cvelist
CVE-2021-41282
2022-03-01 22:45:03
nuclei
nuclei
pfSense - Arbitrary File Write
2022-03-19 09:05:40
metasploit
metasploit
pfSense Diag Routes Web Shell Upload
2022-02-28 02:12:54
cve
cve
CVE-2021-41282
2022-03-01 23:15:08
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2022-03-11 20:26:58

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.8%

JSON
Related for NVD:CVE-2021-41282
prion1zdt1checkpoint_advisories1osv1packetstorm1cvelist1nuclei1metasploit1cve1rapid7blog1