CVE-2021-4406 - OpenCVE

An administrator is able to execute commands as root via the alerts management dialog

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Osnexus	Quantastor

Configuration 1 [-]

cpe:2.3:a:osnexus:quantastor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://csirt.divd.nl/CVE-2021-4406
https://www.divd.nl/DIVD-2021-00020
https://www.osnexus.com/products/software-defined-storage

History

No history.

MITRE

Status: PUBLISHED

Assigner: DIVD

Published: 2023-07-10T06:29:48.698Z

Updated: 2024-08-06T12:32:43.034Z

Reserved: 2023-07-05T15:24:56.556Z

Link: CVE-2021-4406

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-10T16:15:47.747

Modified: 2023-07-13T18:52:57.930

Link: CVE-2021-4406

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-4406", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "state": "PUBLISHED", "assignerShortName": "DIVD", "dateReserved": "2023-07-05T15:24:56.556Z", "datePublished": "2023-07-10T06:29:48.698Z", "dateUpdated": "2024-08-06T12:32:43.034Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "QuantaStor", "vendor": "OSNEXUS", "versions": [{"lessThanOrEqual": "6.0.0.355", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Wietse Boonstra"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An administrator is able to execute commands as root via the alerts management dialog"}], "value": "An administrator is able to execute commands as root via the alerts management dialog"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2024-08-06T12:32:43.034Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.divd.nl/DIVD-2021-00020"}, {"tags": ["product"], "url": "https://www.osnexus.com/products/software-defined-storage"}, {"tags": ["third-party-advisory"], "url": "https://csirt.divd.nl/CVE-2021-4406"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to the latest version of OSNEXUS QuantaStor and hope it is fixed"}], "value": "Upgrade to the latest version of OSNEXUS QuantaStor and hope it is fixed"}], "source": {"discovery": "INTERNAL"}, "title": "Authenticated Remote COmmand Execution as root in OSNEXUS QuantaStor version 6.0.0.355 and others", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:23:10.705Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.divd.nl/DIVD-2021-00020", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://www.osnexus.com/products/software-defined-storage", "tags": ["product", "x_transferred"]}, {"url": "https://csirt.divd.nl/CVE-2021-4406", "tags": ["third-party-advisory", "x_transferred"]}]}]}}