Command injection

2022-09-0517:15:00

PRIOn knowledge base

www.prio-n.com

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.7%

JSON

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

CPENameOperatorVersion
geonetworkge4.0.0
geonetworklt4.0.4
geonetworkge3.4.0
geonetworklt3.12.0
geonetworkeq4.0.0 alpha2
geonetworkeq4.0.0 alpha1

Name	Operator	Version
geonetwork	ge	4.0.0
geonetwork	lt	4.0.4
geonetwork	ge	3.4.0
geonetwork	lt	3.12.0
geonetwork	eq	4.0.0 alpha2
geonetwork	eq	4.0.0 alpha1

References

geonetwork-opensource.org/

geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html

github.com/geonetwork/core-geonetwork

github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf