PT-2021-22881 · Unknown · Gridpro Request Management

Giulian Guran

Published

2021-10-25

Updated

2021-10-29

CVE-2021-40371

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gridpro Request Management for Windows Azure Pack versions prior to 2.0.7912

Description The issue allows Directory Traversal for remote code execution. This can be demonstrated by using .. in a scriptName JSON value to the ServiceManagerTenant/GetVisibilityMap endpoint.

Recommendations For versions prior to 2.0.7912, update to version 2.0.7912 or later to resolve the issue. As a temporary workaround, consider restricting access to the ServiceManagerTenant/GetVisibilityMap endpoint until a patch is available. Avoid using the scriptName JSON value in the affected endpoint until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-40371

Affected Products

Gridpro Request Management

PT-2021-22881 · Unknown · Gridpro Request Management

CVE-2021-40371

Weakness Enumeration

Related Identifiers

Affected Products

References · 9