cve-2021-41243
Vulnerability from cvelistv5
Published
2021-11-26 17:55
Modified
2024-08-04 03:08
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Summary
OS Command Injection Vulnerability and Potential Zip Slip Vulnerability
References
security-advisories@github.comhttps://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ffPatch, Third Party Advisory
security-advisories@github.comhttps://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9wThird Party Advisory
Impacted products
baserprojectbasercms
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.498Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "basercms",
          "vendor": "baserproject",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-26T17:55:09",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff"
        }
      ],
      "source": {
        "advisory": "GHSA-7rpc-9m88-cf9w",
        "discovery": "UNKNOWN"
      },
      "title": "OS Command Injection Vulnerability and Potential Zip Slip Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41243",
          "STATE": "PUBLIC",
          "TITLE": "OS Command Injection Vulnerability and Potential Zip Slip Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "basercms",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.5.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "baserproject"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w",
              "refsource": "CONFIRM",
              "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w"
            },
            {
              "name": "https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff",
              "refsource": "MISC",
              "url": "https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-7rpc-9m88-cf9w",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41243",
    "datePublished": "2021-11-26T17:55:09",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41243\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-11-26T18:15:07.253\",\"lastModified\":\"2021-11-30T19:26:22.173\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.\"},{\"lang\":\"es\",\"value\":\"Se presenta una Vulnerabilidad Potencial de Deslizamiento de Zip y de Inyecci\u00f3n de Comandos del Sistema Operativo en el sistema de administraci\u00f3n de baserCMS. Los usuarios con permisos para subir archivos pueden subir archivos zip dise\u00f1ados que pueden ejecutar comandos arbitrarios en el sistema operativo anfitri\u00f3n. Se trata de una vulnerabilidad que debe solucionarse cuando el sistema de administraci\u00f3n es usado por un n\u00famero indeterminado de usuarios. Si usted es elegible, por favor, actualice a la nueva versi\u00f3n tan pronto como sea posible\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.1,\"impactScore\":5.3}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":9.0},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.4\",\"matchCriteriaId\":\"70008390-2A64-4FEC-9502-2045C3643BDC\"}]}]}],\"references\":[{\"url\":\"https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.