CVE-2021-26471

Опубликовано: 08 июн. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands.

Ссылки

https://csirt.divd.nl/2021/05/11/Vembu-zero-days/
Third Party Advisory
https://csirt.divd.nl/cases/DIVD-2020-00011/
Third Party Advisory
https://csirt.divd.nl/cves/CVE-2021-26471/
Third Party Advisory
https://www.wbsec.nl/vembu
Broken Link
Third Party Advisory
https://csirt.divd.nl/2021/05/11/Vembu-zero-days/
Third Party Advisory
https://csirt.divd.nl/cases/DIVD-2020-00011/
Third Party Advisory
https://csirt.divd.nl/cves/CVE-2021-26471/
Third Party Advisory
https://www.wbsec.nl/vembu
Broken Link
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vembu:bdr_suite:*:*:*:*:*:*:*:*

Версия до 4.2.0.1 (исключая)

cpe:2.3:a:vembu:offsite_dr:*:*:*:*:*:*:*:*

Версия до 4.2.0.1 (исключая)

EPSS

Процентиль: 92%

0.07871

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-rpcc-jvgm-8vrr