CVE-2021-32849
published 2022-01-26CVE-2021-32849: Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in…
PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
7.65%
93.8th percentile
Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gerapy | gerapy | < 0.9.9 | 0.9.9 |
| gerapy | gerapy | >= 0 < 0.9.9 | 0.9.9 |
| gerapy | gerapy | >= 0.9.9 < 0.9.9 | 0.9.9 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2021-32849: Gerapy is a distributed crawler management framework
osv·2022-01-26
CVE-2021-32849 CVE-2021-32849: Gerapy is a distributed crawler management framework
Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.
OSV
An authenticated user can execute arbitrary command in Gerapy
osv·2022-01-06
CVE-2021-32849 [HIGH] An authenticated user can execute arbitrary command in Gerapy
An authenticated user can execute arbitrary command in Gerapy
### Impact
An authenticated user can execute arbitrary command, see more in https://github.com/Gerapy/Gerapy/issues/211.
### Patches
Fixed in 0.9.9
GHSA
An authenticated user can execute arbitrary command in Gerapy
ghsa·2022-01-06
CVE-2021-32849 [HIGH] CWE-77 An authenticated user can execute arbitrary command in Gerapy
An authenticated user can execute arbitrary command in Gerapy
### Impact
An authenticated user can execute arbitrary command, see more in https://github.com/Gerapy/Gerapy/issues/211.
### Patches
Fixed in 0.9.9
VulnCheck
gerapy gerapy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-32849 [HIGH] gerapy gerapy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
gerapy gerapy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.
Affected: gerapy gerapy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-04&host_type=src&vulnerability=cve-2021-32849
Exploit PoC: https://vulncheck.com/xdb/44ac931966d0
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Gerapy/Gerapy/issues/197https://github.com/Gerapy/Gerapy/issues/217https://github.com/Gerapy/Gerapy/security/advisories/GHSA-756h-r2c9-qp5jhttps://lgtm.com/projects/g/Gerapy/Gerapy?mode=tree&ruleFocus=1505994646253https://securitylab.github.com/advisories/GHSL-2021-076-gerapy/https://github.com/Gerapy/Gerapy/issues/197https://github.com/Gerapy/Gerapy/issues/217https://github.com/Gerapy/Gerapy/security/advisories/GHSA-756h-r2c9-qp5jhttps://lgtm.com/projects/g/Gerapy/Gerapy?mode=tree&ruleFocus=1505994646253https://securitylab.github.com/advisories/GHSL-2021-076-gerapy/
2022-01-26
Published
Exploited in the wild