Home > Vulnerability Database > CVE-2021-28398

Mend.io Vulnerability Database

CVE-2021-28398

Date: September 5, 2022

A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.

Language: Java

Severity Score

7.2

Related Resources (6)

Url: https://github.com/geonetwork/core-geonetwork

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-28398

Url: https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html

Url: https://geonetwork-opensource.org/

Url: https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf

Url: https://www.mend.io/vulnerability-database/CVE-2021-28398

Severity Score

7.2

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2021-28398

Date: September 5, 2022

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?