CVE-2021-25140

Name of the Vulnerable Software and Affected Versions: HPE Moonshot Provisioning Manager version 1.20

Description: A potential security issue has been identified in the HPE Moonshot Provisioning Manager. This application is used to setup and configure an HPE Moonshot 1500 chassis in a VMWare or Microsoft Hyper-V environment. The issue could be remotely exploited by an unauthenticated user to cause a directory traversal in user-supplied input to the khuploadfile.cgi CGI ELF. This could lead to Remote Code Execution, Denial of Service, and/or compromise system integrity.

Recommendations: As a temporary workaround, consider disabling the khuploadfile.cgi CGI ELF until further guidance is available. HPE recommends that customers discontinue the use of the HPE Moonshot Provisioning Manager. At the moment, there is no information about a newer version that contains a fix for this vulnerability.