Vulnerabilities > CVE-2020-5847 - Unspecified vulnerability in Unraid 6.8.0

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
unraid
critical
exploit available
metasploit
NVD
Published: 2020-03-16
Updated: 2022-07-12

Summary

Unraid through 6.8.0 allows Remote Code Execution.

Vulnerable Configurations

Part Description Count
Application
Unraid
1

Exploit-Db

idEDB-ID:48353
last seen2020-04-20
modified2020-04-20
published2020-04-20
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/48353
titleUnraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)

Metasploit

descriptionThis module exploits two vulnerabilities affecting Unraid 6.8.0. An authentication bypass is used to gain access to the administrative interface, and an insecure use of the extract PHP function can be abused for arbitrary code execution as root.
idMSF:EXPLOIT/LINUX/HTTP/UNRAID_AUTH_BYPASS_EXEC
last seen2020-06-14
modified2020-04-16
published2020-03-21
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/unraid_auth_bypass_exec.rb
titleUnraid 6.8.0 Auth Bypass PHP Code Execution

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/157275/unraid_auth_bypass_exec.rb.txt
idPACKETSTORM:157275
last seen2020-04-21
published2020-04-17
reporterNicolas Chatelain
sourcehttps://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.html
titleUnraid 6.8.0 Authentication Bypass / Arbitrary Code Execution

Saint

descriptionUnraid webGui remote code execution
titleunraid_webgui_extract
typeremote

References