MITRE CALDERA 2.8.1 REST API command injection

A vulnerability, which was classified as critical, was found in MITRE CALDERA 2.8.1. Affected is an unknown function of the component REST API Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field01/13/2022 06:36 AM01/13/2022 06:37 AM01/15/2022 12:07 PM
nameCALDERACALDERACALDERA
version2.8.12.8.12.8.1
componentREST API HandlerREST API HandlerREST API Handler
cwe77 (privilege escalation)77 (privilege escalation)77 (privilege escalation)
risk222
cvss3_vuldb_acLLL
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_ePPP
cvss3_vuldb_rcRRR
urlhttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Calderahttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Calderahttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Caldera
availability111
publicity111
urlhttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Calderahttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Calderahttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42559-Command%20Injection%20Via%20Configurations-MITRE%20Caldera
cveCVE-2021-42559CVE-2021-42559CVE-2021-42559
cve_assigned163450800016345080001634508000
date1642028400 (01/13/2022)1642028400 (01/13/2022)1642028400 (01/13/2022)
cvss2_vuldb_acLLL
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_ePOCPOCPOC
cvss2_vuldb_rcURURUR
cvss2_vuldb_avAAA
cvss2_vuldb_auSSS
cvss2_vuldb_rlNDNDND
cvss3_vuldb_avAAA
cvss3_vuldb_rlXXX
cvss2_vuldb_basescore5.25.25.2
cvss2_vuldb_tempscore4.44.44.4
cvss3_vuldb_basescore5.55.55.5
cvss3_vuldb_tempscore5.05.05.0
cvss3_meta_basescore5.55.55.5
cvss3_meta_tempscore5.05.05.0
price_0day$0-$5k$0-$5k$0-$5k
vendorMITREMITRE
cve_nvd_summaryAn issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.

Interested in the pricing of exploits?

See the underground prices here!