CVE-2021-32513
QSAN Storage Manager - Command Injection Following via QsanTorture function
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 2.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
07 Jul 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In short
QSAN Storage Manager's QsanTorture function fails to validate user input, allowing attackers to inject and execute arbitrary commands on the server without authentication. This is critical because it gives complete control of the storage system to remote attackers.
Technical detail
CWE-78 command injection vulnerability in QsanTorture function due to insufficient input validation of special parameters. Remote unauthenticated attackers can inject OS commands through unfiltered parameters, achieving arbitrary command execution with system privileges. Fixed in QSAN Storage Manager v3.3.3.
Summary generated and translated by AI from the official description.
QsanTorture in QSAN Storage Manager does not filter special parameters properly that allows remote unauthenticated attackers to inject and execute arbitrary commands. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
QSAN · Storage ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →