CVE-2021-28398 - OpenCVE

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Osgeo	Geonetwork

Configuration 1 [-]

OR	cpe:2.3:a:osgeo:geonetwork::::::::
	cpe:2.3:a:osgeo:geonetwork::::::::
	cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1::::::
	cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2::::::

No data.

References

Link	Providers
https://geonetwork-opensource.org/
https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html
https://github.com/geonetwork/core-geonetwork
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-05T16:09:29

Updated: 2024-08-03T21:40:14.221Z

Reserved: 2021-03-15T00:00:00

Link: CVE-2021-28398

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-05T17:15:19.083

Modified: 2022-10-01T02:18:23.047

Link: CVE-2021-28398

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-05T16:09:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://geonetwork-opensource.org/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/geonetwork/core-geonetwork"}, {"tags": ["x_refsource_MISC"], "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://geonetwork-opensource.org/", "refsource": "MISC", "url": "https://geonetwork-opensource.org/"}, {"name": "https://github.com/geonetwork/core-geonetwork", "refsource": "MISC", "url": "https://github.com/geonetwork/core-geonetwork"}, {"name": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html", "refsource": "MISC", "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf", "refsource": "CONFIRM", "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:40:14.221Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://geonetwork-opensource.org/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/geonetwork/core-geonetwork"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28398", "datePublished": "2022-09-05T16:09:29", "dateReserved": "2021-03-15T00:00:00", "dateUpdated": "2024-08-03T21:40:14.221Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "1299B47E-8561-47D5-BF7B-2E33CC71BF9F", "versionEndExcluding": "3.12.0", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "5959BA61-0F46-4F25-8AD7-3AF29CEDF3F8", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "58A83C77-BABD-4DE5-BEC9-30798C3CB6B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "58DC7012-9FE1-4A16-9807-885939EEA36E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}, {"lang": "es", "value": "Un atacante privilegiado en GeoNetwork versiones anteriores a 3.12.0 y versiones 4.x anteriores a 4.0.4, puede usar el script previo del recolector de directorios para ejecutar comandos arbitrarios del Sistema Operativo de forma remota en la infraestructura de alojamiento. Para llevarlo a cabo es requerida una cuenta de usuario administrador o de administrador. Esto ocurre en el m\u00e9todo runBeforeScript en harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. La primera versi\u00f3n afectada es la 3.4.0"}], "id": "CVE-2021-28398", "lastModified": "2022-10-01T02:18:23.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-05T17:15:19.083", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://geonetwork-opensource.org/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/geonetwork/core-geonetwork"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}