漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
RCE - Command Injection in Signal K set-system-time plugin
Vulnerability Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Signal K Server 操作系统命令注入漏洞
Vulnerability Description
Signal K Server是Signal K开源的一个船用中央服务器。 Signal K Server 1.5.0之前版本存在操作系统命令注入漏洞,该漏洞源于处理navigation.datetime值时shell命令构造不安全,可能导致命令注入。
CVSS Information
N/A
Vulnerability Type
N/A