cvelist/2021/23xxx/CVE-2021-23154.json

{
    "CVE_data_meta": {
        "ASSIGNER": "psirt@mirantis.com",
        "ID": "CVE-2021-23154",
        "STATE": "PUBLIC",
        "TITLE": "Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Lens",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "5.3",
                                            "version_value": "5.3.3"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Mirantis"
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "Eren Karahasan (locomoco.dev@gmail.com)"
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system."
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {
        "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "refsource": "MISC",
                "url": "https://github.com/Mirantis/security/blob/main/advisories/0003.md",
                "name": "https://github.com/Mirantis/security/blob/main/advisories/0003.md"
            }
        ]
    },
    "source": {
        "advisory": "0003",
        "discovery": "UNKNOWN"
    }
}