Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Fleet 操作系统命令注入漏洞

Fleet是Fleet Device Management开源的一个设备管理平台，支持多种操作系统和设备，帮助 IT 和安全团队进行设备管理、漏洞报告、MDM 等操作。 Fleet 4.81.1之前版本存在操作系统命令注入漏洞，该漏洞源于软件安装程序管道存在命令注入，可能导致在受管主机上以root或SYSTEM权限执行任意代码。

N/A

N/A