CVE-2018-4021: OS Command Injection
First published: Mon Dec 03 2018(Updated: )
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Netgate pfSense | =2.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2018-4021?
CVE-2018-4021 is an exploitable command injection vulnerability in Netgate pfSense CE 2.4.4-RELEASE.
How does CVE-2018-4021 impact Netgate pfSense CE 2.4.4-RELEASE?
CVE-2018-4021 allows an attacker to execute arbitrary commands on the system through a specific POST request.
What is the severity of CVE-2018-4021?
CVE-2018-4021 has a severity rating of 7.2 out of 10 (high).
How can an attacker exploit CVE-2018-4021?
An attacker can exploit CVE-2018-4021 by sending an authenticated POST request with malicious parameters.
Is there a fix available for CVE-2018-4021 in Netgate pfSense CE 2.4.4-RELEASE?
Yes, a fix is available to address the command injection vulnerability in Netgate pfSense CE 2.4.4-RELEASE.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/event
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/first-publish-date
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/netgate
- canonical/netgate pfsense
- version/netgate pfsense/2.4.4