CVE-2021-46704: OS Command Injection in GenieACS

March 6, 2022 (updated March 11, 2022)

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

References

github.com/advisories/GHSA-2877-693q-pj33
github.com/genieacs/genieacs/commit/7f295beeecc1c1f14308a93c82413bb334045af6
github.com/genieacs/genieacs/releases/tag/v1.2.8
nvd.nist.gov/vuln/detail/CVE-2021-46704

Detect and mitigate CVE-2021-46704 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →