Vulnerability Description
A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Osgeo | Geonetwork | >= 3.4.0, < 3.12.0 |
Related Weaknesses (CWE)
References
- https://geonetwork-opensource.org/Product
- https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3PatchRelease NotesVendor Advisory
- https://github.com/geonetwork/core-geonetworkThird Party Advisory
- https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88cMitigationPatchThird Party Advisory
- https://geonetwork-opensource.org/Product
- https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3PatchRelease NotesVendor Advisory
- https://github.com/geonetwork/core-geonetworkThird Party Advisory
- https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88cMitigationPatchThird Party Advisory
FAQ
What is CVE-2021-28398?
CVE-2021-28398 is a vulnerability with a CVSS score of 7.2 (HIGH). A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Adm...
How severe is CVE-2021-28398?
CVE-2021-28398 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28398?
Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Geonetwork.