CVE-2021-20039

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: SMA 200 SMA 210 SMA 400 SMA 410 SMA 500v

Description: The issue is related to the improper neutralization of special elements in the SMA100 management interface, specifically the '/cgi-bin/viewcert' POST http method. This allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user.

Recommendations: For SMA 200, update to a version that fixes the improper neutralization of special elements in the SMA100 management interface. For SMA 210, update to a version that fixes the improper neutralization of special elements in the SMA100 management interface. For SMA 400, update to a version that fixes the improper neutralization of special elements in the SMA100 management interface. For SMA 410, update to a version that fixes the improper neutralization of special elements in the SMA100 management interface. For SMA 500v, update to a version that fixes the improper neutralization of special elements in the SMA100 management interface. As a temporary workaround, consider restricting access to the '/cgi-bin/viewcert' API endpoint until a patch is available.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2021-20039

Affected Products

Sma 200

Sma 210

Sma 400

Sma 410

Sma 500V

Sma100

CVE-2021-20039

Weakness Enumeration

Related Identifiers

Affected Products

References · 15