CVE-2021-42950

Remote Code Execution (RCE) vulnerability exists in Zepl Notebooks all previous versions before October 25 2021. Users can register for an account and are allocated a set number of credits to try the product. Once users authenticate, they can proceed to create a new organization by which additional users can be added for various collaboration abilities, which allows malicious user to create new Zepl Notebooks with various languages, contexts, and deployment scenarios. Upon creating a new notebook with specially crafted malicious code, a user can then launch remote code execution.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://zepl.com	Vendor Advisory
https://seclists.org/fulldisclosure/2022/Feb/31	Mailing List Third Party Advisory
http://zepl.com	Vendor Advisory
https://seclists.org/fulldisclosure/2022/Feb/31	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zepl:zepl:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:28

Type	Values Removed	Values Added
References	~~() http://zepl.com - Vendor Advisory~~	() http://zepl.com - Vendor Advisory
References	~~() https://seclists.org/fulldisclosure/2022/Feb/31 - Mailing List, Third Party Advisory~~	() https://seclists.org/fulldisclosure/2022/Feb/31 - Mailing List, Third Party Advisory

10 Mar 2022, 18:15

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~(MISC) https://seclists.org/fulldisclosure/2022/Feb/31 -~~	(MISC) https://seclists.org/fulldisclosure/2022/Feb/31 - Mailing List, Third Party Advisory
References	~~(MISC) http://zepl.com -~~	(MISC) http://zepl.com - Vendor Advisory
CPE		cpe:2.3:a:zepl:zepl::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 8.8

03 Mar 2022, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-03 03:15

Updated : 2024-11-21 06:28

NVD link : CVE-2021-42950

Mitre link : CVE-2021-42950

CVE.ORG link : CVE-2021-42950

JSON object : View

Products Affected

zepl

zepl

CWE

NVD-CWE-noinfo

8.8 /10