CVE-2018-1000666

moderate-risk
Published 2018-09-06

GIG Technology NV JumpScale Portal 7 version before commit 15443122ed2b1cbfd7bdefc048bf106f075becdb contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in method: notifySpaceModification; that can result in Improper validation of parameters results in command execution. This attack appear to be exploitable via Network connectivity, required minimal auth privileges (everyone can register an account). This vulnerability appears to have been fixed in After commit 15443122ed2b1cbfd7bdefc048bf106f075becdb.

Do I need to act?

~
3.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 6e7b751de9efc81650717d9a7fc45f96fd13e820
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Openvcloud
Jumpscale

Affected Vendors

Openvcloud Project Gig

References (10)

Exploit https://github.com/0-complexity/openvcloud/issues/1207
Exploit https://github.com/jumpscale7/jumpscale_portal/blob/c997bb1824862b08246d60e34e95...
Broken Link https://github.com/jumpscale7/jumpscale_portal/pull/108
https://medium.com/%40vrico315/vulnerability-in-jumpscale-portal-7-a88098a1caca
Exploit https://telegra.ph/Description-of-vulnerability-in-JumpScale-Portal-7-08-23
Exploit https://github.com/0-complexity/openvcloud/issues/1207
Exploit https://github.com/jumpscale7/jumpscale_portal/blob/c997bb1824862b08246d60e34e95...
Broken Link https://github.com/jumpscale7/jumpscale_portal/pull/108
https://medium.com/%40vrico315/vulnerability-in-jumpscale-portal-7-a88098a1caca
Exploit https://telegra.ph/Description-of-vulnerability-in-JumpScale-Portal-7-08-23
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 7/34 · Low