Untrusted input execution via igetwild in all iRODS versions before 4.1.11 and 4.2.1 allows other iRODS users (potentially anonymous) to execute remote shell commands via iRODS virtual pathnames. To exploit this vulnerability, a virtual iRODS pathname that includes a semicolon would be retrieved via igetwild. Because igetwild is a Bash script, the part of the pathname following the semicolon would be executed in the user's shell.
References
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-05-05T18:00:00

Updated: 2024-08-05T16:48:22.534Z

Reserved: 2017-05-05T00:00:00

Link: CVE-2017-8799

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-05-05T18:29:00.557

Modified: 2024-11-21T03:34:43.757

Link: CVE-2017-8799

cve-icon Redhat

No data.