Vulnerability Description
A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacker to execute arbitrary commands with root permissions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Softnas | Cloud | < 4.0.3 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2018/Jul/85ExploitMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/104914Third Party AdvisoryVDB Entry
- https://docs.softnas.com/display/SD/Release+NotesVendor Advisory
- https://www.coresecurity.com/advisories/softnas-cloud-os-command-injectionExploitThird Party Advisory
- https://www.exploit-db.com/exploits/45097/ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Jul/85ExploitMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/104914Third Party AdvisoryVDB Entry
- https://docs.softnas.com/display/SD/Release+NotesVendor Advisory
- https://www.coresecurity.com/advisories/softnas-cloud-os-command-injectionExploitThird Party Advisory
- https://www.exploit-db.com/exploits/45097/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-14417?
CVE-2018-14417 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the sn...
How severe is CVE-2018-14417?
CVE-2018-14417 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-14417?
Check the references section above for vendor advisories and patch information. Affected products include: Softnas Cloud.