Description
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://docs.device42.com/auto-discovery/remote-collector-rc/
Vendor Advisory x_refsource_misc
https://blog.device42.com/2021/09/critical-fixes-in-17-05-01/
Product, Vendor Advisory x_refsource_misc
https://docs.device42.com/auto-discovery/nmap-autodiscovery/
Scores
CVSS v3
8.1
EPSS
0.0139
EPSS Percentile
68.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-88
Status
published
Products (1)
device42/device42
< 17.05.01
Published
Sep 17, 2021
Tracked Since
Feb 18, 2026