CVE-2021-33523: Remote Code Execution (new JDBC driver)
Vendor: Software AG
Vendor URL: https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
Versions affected: MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
Discovered by: Marcos Díaz
Public fix: No
Proof of Concept: No
Summary
MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by a remote code execution vulnerability.
Details
MashZone NextGen allows an administrator to install a new JDBC driver. This feature can be abused to execute arbitrary commands on the underlying host or deploy a webshell.
Impact
This vulnerability can be used to execute code in the server.
Recommendation
Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.
Timeline
- 19/05/2021 - Reported vulnerability to vendor
- 31/08/2021 - A representative from Software AG asks for details
- 30/03/2022 - Public Disclosure