CVE-2021-23154

Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided

CVSS 6.3 MEDIUMEPSS 0.6%CWE-94

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.3EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

10 Jan 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system.

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected products

Mirantis · Lens

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Mirantis/security/blob/main/advisories/0003.md