CVE-2021-38557

HIGH8.8EPSS 0.73%

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.

發布日:2021/9/2修改日:2023/11/8

描述

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.

受影響套件(1)

Packagist/billz/raspap-webguifrom 0, <= 2.6.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38557
PATCHhttps://github.com/RaspAP/raspap-webgui
WEBhttps://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers
WEBhttps://zerosecuritypenetrationtesting.com/?page_id=306