CVE-2021-42561

Name of the Vulnerable Software and Affected Versions CALDERA version 2.8.1

Description An issue was discovered in CALDERA. When activated, the Human plugin passes the unsanitized name parameter to a python os.system function. This allows attackers to use shell metacharacters (e.g., backticks or dollar parenthesis) in order to escape the current command and execute arbitrary shell commands.

Recommendations For CALDERA version 2.8.1, consider disabling the Human plugin until a patch is available to prevent the execution of arbitrary shell commands. Restrict access to the os.system function to minimize the risk of exploitation. Avoid using the name parameter in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.