CVE-2021-31581

Published: Jul 22, 2021Modified: Nov 21, 2024

4.4

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.8 / Impact: 3.6

Source: NVD

Description

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).

Affected (3)

Products: Akkadianlabs: Ova Appliance, Provisioning Manager

Akkadianlabs

2 products

Ova Appliance

Provisioning Manager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Akkadianlabs Ova Appliance	Before 3.0
Akkadianlabs Provisioning Manager	From 3.0.0 to 3.3.0.314-4a349e0
Akkadianlabs Provisioning Manager	From 4.0.0 to 5.0.2

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-312

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (2)

https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/

Source: cve@rapid7.com

ExploitThird Party Advisory

https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.