CVE-2021-23154— Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-23154
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Lens 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Lens是OpenLens 存储库的分发版,其中包含在传统EULA下发布的 Team Lens 特定定制。 Lens 5.3.4 之前的版本中存在操作系统命令注入漏洞,该漏洞源于自定义 helm 图表配置从提供的参数的字符串连接创建 helm 命令,然后在用户的 shell 中执行。攻击者可以提供导致任意 shell 命令在系统上运行的参数。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-23154
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-23154
请登录查看更多情报信息。
Same Patch Batch · Mirantis · 2022-01-10 · 3 CVEs total
| CVE-2021-44458 | 8.3 HIGH | Lack of websocket authentication in Lens causes remote code execution when visiting a mali |
| CVE-2021-23218 | 5.3 MEDIUM | Memory Leak in Mirantis Container Runtime (MCR) running in FIPS mode causes a Denial of Se |
IV. Related Vulnerabilities
Same vendor: Mirantis
Same weakness: CWE-94
- CVE-2021-47939
Evolution CMS 3.1.6 Authenticated Remote Code Execution via - CVE-2021-47938
ImpressCMS 1.4.2 Remote Code Execution via Autotasks - CVE-2021-47935
Sentry 8.2.0 Remote Code Execution via Pickle Deserializatio - CVE-2022-50944
Aero CMS 0.0.1 PHP Code Injection via posts.php - CVE-2026-8211
codelibs Fess JSP File AdminDesignAction.java update code in
V. Comments for CVE-2021-23154
No comments yet