CVE-2021-42561
First published: Wed Jan 12 2022(Updated: )
An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MITRE CALDERA | <=2.8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-42561?
The severity of CVE-2021-42561 is critical with a CVSS score of 8.8.
What is the vulnerability in CALDERA 2.8.1?
The vulnerability in CALDERA 2.8.1 is a command injection vulnerability in the Human plugin.
How does the vulnerability allow attackers to execute commands?
The vulnerability allows attackers to use shell metacharacters to escape the current command and execute arbitrary commands.
What is the affected software?
The affected software is CALDERA version 2.8.1.
How can I fix the vulnerability in CALDERA 2.8.1?
To fix the vulnerability, update CALDERA to a version that includes the fix, such as version X.X.X.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/tags
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- vendor/mitre
- canonical/mitre caldera
- version/mitre caldera/2.8.1