CVE-2021-31581
Akkadian Provisioning Manager Engine (PME) Shell Escape via 'vi' editor interface
Vexday Risk Score
36Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.9EPSS 1.2%KEV nãoPoC —Nuclei simMetasploit —Patch —
Lifecycle
22 Jul 2021Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Affected products
Akkadian · Provisioning Manager Engine (PME)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →