CVE-2021-38557
published 2021-08-24CVE-2021-38557: raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute…
PriorityP357high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.22%
80.5th percentile
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| billz | raspap-webgui | 0 – 2.6.6 | — |
| raspap | raspap | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
ghsa·2021-09-02
CVE-2021-38557 [HIGH] CWE-276 raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
OSV
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
osv·2021-09-02
CVE-2021-38557 [HIGH] raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/RaspAP/raspap-webguihttps://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoershttps://zerosecuritypenetrationtesting.com/?page_id=306https://github.com/RaspAP/raspap-webguihttps://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoershttps://zerosecuritypenetrationtesting.com/?page_id=306
2021-08-24
Published