Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2021-28398

Published: 05/09/2022 Updated: 01/10/2022
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 0
Subscribe to Geonetwork

Vulnerability Summary

A privileged attacker in GeoNetwork prior to 3.12.0 and 4.x prior to 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

osgeo geonetwork

osgeo geonetwork 4.0.0

References

CWE-78https://geonetwork-opensource.org/https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jfhttps://github.com/geonetwork/core-geonetworkhttps://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.htmlhttps://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionSSRFbuffer overflowCVE-2023-28952CVE-2023-41822CVE-2024-27956CVE-2023-7028CVE-2024-34447CVE-2024-34460
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook