CVE-2021-41282

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41282

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41282.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41282

Published

2022-03-01T23:15:08Z

Modified

2025-01-08T08:20:44.545028Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

References

Affected packages

Git / github.com/pfsense/pfsense

Affected ranges

Type: GIT
Repo: https://github.com/pfsense/pfsense
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

81891ef87be63352e1c32d28ca9fc08bbf641989

Affected versions

Other

RELENG_2_2_BETA

Root_RELENG_1_2

v2.*

v2.5.2