CVE-2019-5029
published 2019-11-13CVE-2019-5029: An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
57.15%
98.9th percentile
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| exhibitor_project | exhibitor | — | — |
| exhibitor_project | exhibitor | 1.0.9 – 1.7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Exhibitor UI Command Injection Attempt Inbound (CVE-2019-5029)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/exhibitor/"; http.request_body; content:"|22|javaEnvironment|22 3a 20 22|"; fast_pattern; content:"|24 28|"; within:5; reference:cve,2019-5029; classtype:web-application-attack; sid:2061765; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2019_5029, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort↗
Snort Rule: 49239
- →Detect POST requests to /exhibitor/ URI containing the 'javaEnvironment' key in the request body with $() or backtick command injection syntax. The ET rule keys on the byte sequence |22|javaEnvironment|22 3a 20 22| followed by |24 28| (i.e., "$(") within 5 bytes.
- →Exploitation is performed via HTTP POST to the /exhibitor/v1/config/set endpoint; monitor for POST requests to this path, especially with a JSON body containing the 'javaEnvironment' field. ↗
- →Injected commands are placed in the 'javaEnvironment' JSON field surrounded by backticks or $(); alert on these patterns in the javaEnvironment value of config/set POST bodies. ↗
- →The Exhibitor Web UI has no authentication; any unauthenticated POST to /exhibitor/v1/config/set should be treated as suspicious and investigated. ↗
- →The injected command executes every time ZooKeeper is re-launched by Exhibitor; look for repeated unexpected child process spawning from the Exhibitor/ZooKeeper process, especially outbound network connections (e.g., netcat reverse shells). ↗
- ·Exhibitor Web UI listens on TCP 8080 by default, but may be found on other ports; detection rules should not be port-restricted. ↗
- ·Prior to version 1.7.0, Exhibitor had no way to restrict which interfaces it listened on, making it potentially exposed on all interfaces; version 1.7.0+ allows interface binding but still has no built-in authentication. ↗
- ·The Snort rule 49239 from Talos may be updated; always refer to Firepower Management Center or Snort.org for the most current rule. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Exhibitor UI Command Injection Attempt Inbound (CVE-2019-5029)
suricata·2025-04-21·CVSS 9.8
CVE-2019-5029 [CRITICAL] ET WEB_SPECIFIC_APPS Exhibitor UI Command Injection Attempt Inbound (CVE-2019-5029)
ET WEB_SPECIFIC_APPS Exhibitor UI Command Injection Attempt Inbound (CVE-2019-5029)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Exhibitor UI Command Injection Attempt Inbound (CVE-2019-5029)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/exhibitor/"; http.request_body; content:"|22|javaEnvironment|22 3a 20 22|"; fast_pattern; content:"|24 28|"; within:5; reference:cve,2019-5029; classtype:web-application-attack; sid:2061765; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2019_5029, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_techn
Talos
Vulnerability Spotlight: Command injection bug in Exhibitor UI
blogs_talos·2019-11-13·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: Command injection bug in Exhibitor UI
## Vulnerability Spotlight: Command injection bug in Exhibitor UI
Logan Sanderson of Cisco ASIG discovered this vulnerability.
Exhibitor Web UI contains an exploitable command injection vulnerability in its Config editor. Exhibitor is a ZooKeeper supervisory process. Exhibitor's Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of
the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper.
Per Cisco's vulnerability disclosure policy , we are publishing the det
Talos
Vulnerability Spotlight: Command injection bug in Exhibitor UI
blogs_talos·2019-11-13·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: Command injection bug in Exhibitor UI
Logan Sanderson of Cisco ASIG discovered this vulnerability.
Exhibitor Web UI contains an exploitable command injection vulnerability in its Config editor. Exhibitor is a ZooKeeper supervisory process. Exhibitor's Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of
the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper.
Per Cisco's vulnerability disclosure policy, we are publishing the details of this vulnerability without a patch from Exhibitor after a se
2019-11-13
Published