CVE-2021-41583

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41583

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41583.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41583

Published

2021-09-24T03:15:06Z

Modified

2025-01-08T08:20:22.684375Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VPN access.

References

Affected packages

Git / github.com/eduvpn/vpn-user-portal

Affected ranges

Type: GIT
Repo: https://github.com/eduvpn/vpn-user-portal
Events: Introduced

3a850e1df3b81811623ffcce7823359915661fba

Fixed

17465316ec610d5a55dcc0bf538522ca612993c2

Affected versions

2.*

2.3.10

2.3.11

2.3.12

2.3.13

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9