CVE Vulnerability

CVE-2021-28398

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

7.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://geonetwork-opensource.org/ Product
https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf Mitigation Patch
https://github.com/geonetwork/core-geonetwork Third Party Advisory
https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html Patch Release Notes
Configurations

Configuration 1

cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*
cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*
cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1:*:*:*:*:*:*
Information

Published : 2022-09-05 05:15

Updated : 2022-10-01 02:18

NVD link : CVE-2021-28398

Mitre link : CVE-2021-28398

Products Affected
No products.
CWE
CWE-78