CVE-2021-28398

Опубликовано: 05 сент. 2022

Источник: nvd

CVSS3: 7.2

EPSS Низкий

Описание

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

Ссылки

https://geonetwork-opensource.org/
Product
https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html
Patch
Release Notes
Vendor Advisory
https://github.com/geonetwork/core-geonetwork
Third Party Advisory
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf
Mitigation
Patch
Third Party Advisory
https://geonetwork-opensource.org/
Product
https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html
Patch
Release Notes
Vendor Advisory
https://github.com/geonetwork/core-geonetwork
Third Party Advisory
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf
Mitigation
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*

Версия от 3.4.0 (включая) до 3.12.0 (исключая)

cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.0.4 (исключая)

cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1:*:*:*:*:*:*

cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2:*:*:*:*:*:*

EPSS

Процентиль: 78%

0.01122

Низкий

7.2 High

CVSS3

Дефекты

CWE-78