PT-2021-23239 · Sharetribe · Sharetribe Go

Wang Sheng

Published

2021-11-19

Updated

2021-11-24

CVE-2021-41280

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Sharetribe Go versions prior to 10.2.1

Description The issue affects Sharetribe Go, a source available marketplace software, where operating system command injection is possible on installations without a secret AWS Simple Notification Service (SNS) notification token configured via the sns notification token configuration parameter. This parameter is unset by default.

Recommendations For versions prior to 10.2.1, upgrade to version 10.2.1 to resolve the issue. As a temporary workaround for users who are unable to upgrade, set the sns notification token configuration parameter to a secret value.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2021-41280

GHSA-HJJC-P9HR-424C

Affected Products

Sharetribe Go

PT-2021-23239 · Sharetribe · Sharetribe Go

CVE-2021-41280

Weakness Enumeration

Related Identifiers

Affected Products

References · 7