CVE-2021-21406 (GCVE-0-2021-21406)
Vulnerability from cvelistv5 – Published: 2021-07-21 15:05 – Updated: 2024-08-03 18:09
VLAI
EPSS
VEX
Title
Command Injection vulnerability in the Setup Wizard
Summary
Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0.
Severity
5.8 (Medium)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Combodo/iTop/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.146Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T15:05:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
],
"source": {
"advisory": "GHSA-pf95-6h7q-q85x",
"discovery": "UNKNOWN"
},
"title": "Command Injection vulnerability in the Setup Wizard",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21406",
"STATE": "PUBLIC",
"TITLE": "Command Injection vulnerability in the Setup Wizard"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
]
},
"source": {
"advisory": "GHSA-pf95-6h7q-q85x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21406",
"datePublished": "2021-07-21T15:05:10.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:16.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-21406",
"date": "2026-07-09",
"epss": "0.01032",
"percentile": "0.59668"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.7.4\", \"matchCriteriaId\": \"299D23A7-798A-4E44-AA25-E01E76440704\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:combodo:itop:2.7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0E66F946-7B72-4C15-882F-E894160EE56E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:combodo:itop:2.7.5-1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E1E379FD-E855-4137-B696-CF22BA59BA90\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0.\"}, {\"lang\": \"es\", \"value\": \"Combodo iTop es una herramienta de administraci\\u00f3n de servicios de TI de c\\u00f3digo abierto basada en la web. En versiones anteriores a 2.7.4, se presenta una vulnerabilidad de inyecci\\u00f3n de comandos en el Asistente de Configuraci\\u00f3n cuando se proporciona la ruta del ejecutable de Graphviz. La vulnerabilidad est\\u00e1 parcheada en versiones 2.7.4 y 3.0.0\"}]",
"id": "CVE-2021-21406",
"lastModified": "2024-11-21T05:48:17.527",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N\", \"baseScore\": 5.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-07-21T15:15:13.950",
"references": "[{\"url\": \"https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-21406\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-07-21T15:15:13.950\",\"lastModified\":\"2024-11-21T05:48:17.527\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0.\"},{\"lang\":\"es\",\"value\":\"Combodo iTop es una herramienta de administraci\u00f3n de servicios de TI de c\u00f3digo abierto basada en la web. En versiones anteriores a 2.7.4, se presenta una vulnerabilidad de inyecci\u00f3n de comandos en el Asistente de Configuraci\u00f3n cuando se proporciona la ruta del ejecutable de Graphviz. La vulnerabilidad est\u00e1 parcheada en versiones 2.7.4 y 3.0.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.4\",\"matchCriteriaId\":\"299D23A7-798A-4E44-AA25-E01E76440704\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:combodo:itop:2.7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E66F946-7B72-4C15-882F-E894160EE56E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:combodo:itop:2.7.5-1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1E379FD-E855-4137-B696-CF22BA59BA90\"}]}]}],\"references\":[{\"url\":\"https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…