An issue was discovered in Object First 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in 1.0.13.1611. In Object First 1.0.7.712, a remote attacker can execute arbitrary code with root privileges by sending specially crafted HTTP request.
This vulnerability is fixed in 1.0.13.1611. The vulnerability is triggered when a remote attacker sends specially crafted HTTP request to Object First server. An attacker would need credentials to exploit this vulnerability. This is fixed in 1.0.13.1611.
This vulnerability has been assigned with CVE-2017-17652.
An issue was discovered in Object First 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in 1.0.13.1611.

An issue was discovered in Object First 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges

Object First 1.0.13.1611 – Apache Struts vulnerability fix

Fixes the CVE-2017-17652 vulnerability: - The Apache Struts vulnerability in 1.0.7.712 was fixed and a new version was released.

Timeline

Published on: 11/07/2022 04:15:00 UTC
Last modified on: 11/08/2022 04:23:00 UTC

References