Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Zepl Notebook Remote Code Execution Vulnerability

🗓️ 17 Feb 2022 00:00:00Reported by Josh SheppardType 
zdt
 zdt🔗 0day.today👁 278 Views

Zepl Notebook Remote Code Execution Vulnerability, affects all previous versions, discovered and exploited by Josh Sheppard & Pathfynder Inc, CVE-2021-42950

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Zepl Notebook Sandbox Escape Vulnerability
17 Feb 202200:00
zdt
Circl		CVE-2021-42950
3 Mar 202207:25
circl
CNNVD		Zepl Notebook 安全漏洞
17 Feb 202200:00
cnnvd
CVE		CVE-2021-42950
3 Mar 202202:10
cve
Cvelist		CVE-2021-42950
3 Mar 202202:10
cvelist
EUVD		EUVD-2021-29905
3 Oct 202520:07
euvd
NVD		CVE-2021-42950
3 Mar 202203:15
nvd
OSV		CVE-2021-42950
3 Mar 202203:15
osv
Prion		Remote code execution
3 Mar 202203:15
prion
RedhatCVE		CVE-2021-42950
22 May 202521:06
redhatcve
Rows per page
Exploit Title: Zepl Notebook - Remote Code Execution
Vendor Homepage: https://zepl.com/
Software Link: https://app.zepl.com/
Version: All previous versions of product to the date of this submission
Tested on: The issue affects all versions of the product up to the date of this submission
Exploit Authors: Josh Sheppard & Pathfynder Inc
Exploit Contact: ghost a t undervurse dot_com & josh a t pathfynder dot_io
Exploit Technique: Remote
CVE ID: CVE-2021-42950
 1. Description
 A remote code execution vulnerability has been discovered in Zepl's Notebooks product. Users can register for an account and are allocated a set number of credits to try the product. Once users authenticate, they can proceed to create a new organization by which additional users can be added for various collaboration abilities. Once this has been established, users can then create new Zepl Notebooks with various languages, contexts and deployment scenarios. Upon creating a new notebook with specially crafted malicious code, a user can then launch remote code execution.
 This vulnerability effects all previous versions of their Notebook product suite.
 2. Disclosure Timeline
 9/28/21 - Discovery and Exploitation
9/28/21 - Vendor Notified
2/16/22 - CVE Assignment
2/17/22 - Public Disclosure
 3. Mitigation
 Hotfix applied to vendors SAAS solution, no action is necessary at this time.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Feb 2022 00:00Current
CVSS 26.5
CVSS 3.18.8
EPSS0.02852
zeplremote code executionvulnerabilitydiscoveryexploitationvendor notificationcve-2021-42950mitigationhotfix
278