PT-2022-10288 · Atune · Atune
Published
2022-03-03
·
Updated
2025-04-02
·
CVE-2021-33658
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
atune versions prior to 0.3-0.8
Description
The issue allows an attacker to escalate local privileges or modify any file by accessing the local atune URL interface. This can be achieved by logging in as a local user and running a curl command. The default configuration does not forcibly enable authentication.
Recommendations
For atune versions prior to 0.3-0.8, consider disabling access to the local atune URL interface until a patch is available. Restrict local user privileges to minimize the risk of exploitation.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Atune