CVE-2019-5029

CRITICAL

Exhibitor Web UI <1.7.1 - Command Injection

Title source: llm

Description

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

Exploits (3)

exploitdb WORKING POC

by Logan Sanderson · textwebappsjava

https://www.exploit-db.com/exploits/48654

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by thehunt1s0n · poc

https://github.com/thehunt1s0n/Exihibitor-RCE

View Code ZIP pw:eip

nomisec WORKING POC

by yZee00 · poc

https://github.com/yZee00/CVE-2019-5029

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://talosintelligence.com/vulnerability_reports/TALOS-2019-0790

Scores

CVSS v3 9.8

EPSS 0.8516

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

exhibitor_project/exhibitor 1.0.9 - 1.7.1

Published Nov 13, 2019

Tracked Since Feb 18, 2026