CVE-2021-42559 PoC — Caldera 命令注入漏洞

Source

https://github.com/mbadanoiu/CVE-2021-42559

Associated Vulnerability

Title:Caldera 命令注入漏洞 (CVE-2021-42559)
Description:Caldera是法国Caldera公司的一套能够为打印机设备提供色彩管理、成像和处理解决方案的软件。 Caldera 2.8.1存在命令注入漏洞，该漏洞源于在启动服务器时执行命令的多个启动“需求”。因为这些命令可以通过REST API更改，所以经过身份验证的用户可以插入任意命令，这些命令将在服务器重启时执行。

Description

CVE-2021-42559: Command Injection via Configurations in MITRE Caldera

Readme

# CVE-2021-42559: Command Injection via Configurations in MITRE Caldera

Caldera (versions <=2.8.1) contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the Rest API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
<br/>

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42559).

### Requirements:

This vulnerability requires:
<br/>
- Valid user credentials
- Waiting for the Caldera application to be restarted

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2021-42559/blob/main/Caldera%20-%20CVE-2021-42559.pdf).

File Snapshot


 [4.0K]  /data/pocs/a0c81a67028752aabd492735564a6f3988e90ef7
├── [397K]  Caldera - CVE-2021-42559.pdf
└── [ 823]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!