Skip to content

Post-authentication remote code execution in ZStack(BatchQuery)

High
zxwing published GHSA-99wx-p6w8-3hg8 Nov 17, 2021

Package

zstack (https://github.com/zstackio)

Affected versions

<4.2.2,<4.3.0

Patched versions

>=4.2.2,>=4.3.0

Description

Impact

The ZStack releases before 4.2.2 and 4.3.0 are vulnerable to Remote Code Execution (RCE).

Patches

The problem already patched in ZStack 4.2.2, 4.3.0 and all further versions.

Workarounds

We strongly suggest users upgrade to patched versions. If you could not upgrade at once, please avoid exposing ZStack API service to public or any other untrusty network.

For more information

If you have any questions or comments about this advisory:

Severity

High
7.6
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

No CWEs

Credits