#VU55590 Improper Protection of Alternate Path in cni - CVE-2021-20206
Published: August 5, 2021
Vulnerability identifier: #VU55590
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-20206
CWE-ID: CWE-424
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
cni
cni
Software vendor:
CNI
CNI
Description
The vulnerability allows a remote user to compromise the affected system.
the vulnerability exists due to improper input validation. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows a remote user to execute other existing binaries other than the cni plugins/types, such as 'reboot'.
Remediation
Install updates from vendor's website.