CVE-2021-31581 HIGH

CVE-2021-31581: Akkadian Provisioning Manager Engine (PME) Shell Escape via 'vi' editor interface

Vendor Akkadian
Product Provisioning Manager Engine (PME)
Weakness CWE-269
Published July 22, 2021
Last update August 3, 2024

CVSS base score

7.9/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).

Key dates

02Disclosure timeline

July 22, 2021 CVE published
August 3, 2024 Record updated