CVE-2021-4326: Imperative Local Command Injection allows Activity Masking
First published: Wed Feb 22 2023(Updated: )
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.
Credit: zowe-security@lists.openmainframeproject.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zowe | >=1.16.0<1.28.2 | |
| Zowe | >=2.0.0<2.5.0 |
Remedy
This issue is fixed in Zowe 1.28.2 or later, and Zowe 2.5.0 or later.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-4326?
CVE-2021-4326 is rated as a medium severity vulnerability.
How do I fix CVE-2021-4326?
To fix CVE-2021-4326, it is recommended to upgrade to Zowe version 1.28.3 or later for versions 1.16.0 to 1.28.2 and to version 2.5.1 or later for versions 2.0.0 to 2.5.0.
What software is affected by CVE-2021-4326?
CVE-2021-4326 affects certain versions of the Zowe CLI framework from Linux Foundation.
What type of exploitation is possible with CVE-2021-4326?
Exploitation of CVE-2021-4326 allows already-privileged local actors to execute arbitrary shell commands.
Are environment variables a risk in CVE-2021-4326?
Yes, maliciously formed environment variables can be used to exploit CVE-2021-4326.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/author
- agent/last-modified-date
- agent/references
- agent/title
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/linuxfoundation
- canonical/zowe
- version/zowe/1.16.0
- version/zowe/2.0.0