Impact
Operating system command injection is possible on installations of Sharetribe Go, that do not have a secret AWS Simple Notification Service (SNS) notification token configured via the sns_notification_token configuration parameter. This configuration parameter is unset by default.
Patches
The vulnerability has been patched in version 10.2.1.
Workarounds
Set thesns_notification_token configuration parameter to a secret value.
References
Acknowledgement
The vulnerability CVE-2021-41280 was discovered and reported by Wang Sheng of State Grid Sichuan Electric Power Research Institute.
Impact
Operating system command injection is possible on installations of Sharetribe Go, that do not have a secret AWS Simple Notification Service (SNS) notification token configured via the
sns_notification_tokenconfiguration parameter. This configuration parameter is unset by default.Patches
The vulnerability has been patched in version 10.2.1.
Workarounds
Set the
sns_notification_tokenconfiguration parameter to a secret value.References
Acknowledgement
The vulnerability CVE-2021-41280 was discovered and reported by Wang Sheng of State Grid Sichuan Electric Power Research Institute.