Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mbadanoiu/cve-2021-42559

CVE-2021-42559: Command Injection via Configurations in MITRE Caldera
https://github.com/mbadanoiu/cve-2021-42559

0-day authenticated cve cve-2021-42559 cves remote-code-execution

Last synced: 2 days ago
JSON representation

CVE-2021-42559: Command Injection via Configurations in MITRE Caldera

Host: GitHub
URL: https://github.com/mbadanoiu/cve-2021-42559
Owner: mbadanoiu
Created: 2024-06-09T21:07:16.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-06-09T21:13:51.000Z (5 months ago)
Last Synced: 2024-06-09T23:27:27.046Z (5 months ago)
Topics: 0-day, authenticated, cve, cve-2021-42559, cves, remote-code-execution
Homepage:
Size: 332 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CVE-2021-42559: Command Injection via Configurations in MITRE Caldera

Caldera (versions <=2.8.1) contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the Rest API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42559).

### Requirements:

This vulnerability requires:

- Valid user credentials
- Waiting for the Caldera application to be restarted

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2021-42559/blob/main/Caldera%20-%20CVE-2021-42559.pdf).