CVE-2021-32512
QSAN Storage Manager - Command Injection Following via QuickInstall function
In short
QSAN Storage Manager's QuickInstall function allows attackers to run any command on the server without authentication. An attacker can exploit this by sending specially crafted requests to take complete control of the storage system.
Technical detail
The QuickInstall function in QSAN Storage Manager fails to properly sanitize user-supplied parameters, enabling OS command injection (CWE-78). Remote unauthenticated attackers can inject arbitrary shell commands through unfiltered parameters; exploitation requires network access to the vulnerable interface. Successful exploitation grants full system command execution with the privileges of the affected service.
Summary generated and translated by AI from the official description.
QuickInstall in QSAN Storage Manager does not filter special parameters properly that allows remote unauthenticated attackers to inject and execute arbitrary commands. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
QSAN · Storage ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →