PT-2021-15491 · Wincred · Wincred

Omnitaint

Published

2021-06-28

Updated

2022-07-12

CVE-2021-23399

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions wincred versions all

Description The issue allows an attacker to execute arbitrary commands if attacker-controlled user input is given to the getCredential function. This is due to the use of the child process exec function without input sanitization, which can lead to command execution.

Recommendations For all versions, consider disabling the getCredential function until a patch is available to prevent exploitation. Restrict access to the child process exec function to minimize the risk of arbitrary command execution. Avoid using the getCredential function with untrusted input until the issue is resolved.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-78

Related Identifiers

CVE-2021-23399

GHSA-V85C-HGQ5-7PFW

Affected Products

Wincred

PT-2021-15491 · Wincred · Wincred

CVE-2021-23399

Weakness Enumeration

Related Identifiers

Affected Products

References · 5