关联漏洞
标题:
Caldera 命令注入漏洞
(CVE-2021-42559)
描述:Caldera是法国Caldera公司的一套能够为打印机设备提供色彩管理、成像和处理解决方案的软件。 Caldera 2.8.1存在命令注入漏洞,该漏洞源于在启动服务器时执行命令的多个启动“需求”。因为这些命令可以通过REST API更改,所以经过身份验证的用户可以插入任意命令,这些命令将在服务器重启时执行。
描述
CVE-2021-42559: Command Injection via Configurations in MITRE Caldera
介绍
# CVE-2021-42559: Command Injection via Configurations in MITRE Caldera
Caldera (versions <=2.8.1) contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the Rest API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
<br/>
### Vendor Disclosure:
The vendor's disclosure for this vulnerability can be found [here](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42559).
### Requirements:
This vulnerability requires:
<br/>
- Valid user credentials
- Waiting for the Caldera application to be restarted
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2021-42559/blob/main/Caldera%20-%20CVE-2021-42559.pdf).
文件快照
[4.0K] /data/pocs/a0c81a67028752aabd492735564a6f3988e90ef7
├── [397K] Caldera - CVE-2021-42559.pdf
└── [ 823] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。