CVE-2019-5029

Name of the Vulnerable Software and Affected Versions Exhibitor Web UI versions 1.0.9 through 1.7.1

Description A command injection issue exists in the Config editor of the Exhibitor Web UI. This allows an attacker to insert arbitrary shell commands surrounded by backticks or $() into the editor, which will be executed by the Exhibitor process when it launches ZooKeeper. As a result, an attacker can execute any command as the user running the Exhibitor process. The vulnerability can be exploited by a remote attacker to execute commands with the privileges of the target user.

Recommendations For Exhibitor Web UI versions 1.0.9 through 1.7.1, consider disabling the Config editor feature until a patch is available to prevent exploitation of the command injection vulnerability. Restrict access to the Exhibitor process to minimize the risk of exploitation. Avoid using the backticks or $() syntax in the Config editor to prevent command injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.