Описание
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
A flaw was found in cockpit. An attacker is able to inject custom PHP code and achieve remote command execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
This vulnerability applies to Cockpit CMS (https://getcockpit.com/), which is a different product than the Cockpit Project (https://cockpit-project.org/) used in Red Hat products. The Cockpit Project is not affected by this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 8 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 9 | cockpit | Not affected | ||
| Red Hat Virtualization 4 | cockpit | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI.
EPSS
9.8 Critical
CVSS3