CVE-2017-15103OS Command Injection in Heketi Heketi

CWE-78OS Command InjectionCWE-20Improper Input ValidationCWE-94Code Injection9 documents6 sources
Severity
8.8HIGHNVD
EPSS
2.4%
top 14.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Heketi HeketiHeketiHeketi Project Heketi+1 more
Timeline
PublishedDec 18
Latest updateJun 4

Description

A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5heketi/heketi5.0

Also affects: Enterprise Linux 7.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
Heketi Arbitrary Code Execution in github.com/heketi/heketi2024-06-04
OSV
Heketi Arbitrary Code Execution2024-04-24
GHSA
Heketi Arbitrary Code Execution2024-04-24
CVEList
CVE-2017-15103: A security-check flaw was found in the way the Heketi 5 server API handled user requests2017-12-18

📋Vendor Advisories

1
Red Hat
heketi: OS command injection in heketi API2017-12-18

💬Community

3
Bugzilla
CVE-2017-15103 heketi: OS command injection in heketi API [fedora-all]2017-12-18
Bugzilla
CVE-2017-15103 heketi: OS command injection in heketi API [epel-all]2017-12-18
Bugzilla
CVE-2017-15103 heketi: OS command injection in heketi API2017-11-06
CVE-2017-15103 — OS Command Injection in Heketi Heketi | cvebase