CVE-2021-28398

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.
Configurations

Configuration 1

cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*
cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*
cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1:*:*:*:*:*:*

Information

Published : 2022-09-05 05:15

Updated : 2022-10-01 02:18


NVD link : CVE-2021-28398

Mitre link : CVE-2021-28398

Products Affected
No products.
CWE