CVE-2021-33523 - OpenCVE

MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Softwareag	Mashzone Nextgen

Configuration 1 [-]

cpe:2.3:a:softwareag:mashzone_nextgen:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33523
https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-30T22:06:40

Updated: 2024-08-03T23:50:43.180Z

Reserved: 2021-05-24T00:00:00

Link: CVE-2021-33523

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-30T23:15:07.687

Modified: 2022-04-06T00:14:34.807

Link: CVE-2021-33523

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-30T22:06:40", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33523"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33523", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default", "refsource": "MISC", "url": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default"}, {"name": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33523", "refsource": "MISC", "url": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33523"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:43.180Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33523"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33523", "datePublished": "2022-03-30T22:06:40", "dateReserved": "2021-05-24T00:00:00", "dateUpdated": "2024-08-03T23:50:43.180Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softwareag:mashzone_nextgen:*:*:*:*:*:*:*:*", "matchCriteriaId": "62263DED-AAA9-4E06-A0E7-F6905BFAE6B6", "versionEndIncluding": "10.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController."}, {"lang": "es", "value": "MashZone NextGen versiones hasta 10.7 GA, permite a un usuario remoto autenticado, con acceso a la consola de administraci\u00f3n, cargar un nuevo controlador JDBC que puede ejecutar comandos arbitrarios en el host subyacente. Esto ocurre en com.idsscheer.ppmmashup.business.jdbc.DriverUploadController"}], "id": "CVE-2021-33523", "lastModified": "2022-04-06T00:14:34.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-30T23:15:07.687", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33523"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}