CVE-2021-42950 Information

Description

Remote Code Execution (RCE) vulnerability exists in Zepl Notebooks all previous versions before October 25 2021. Users can register for an account and are allocated a set number of credits to try the product. Once users authenticate they can proceed to create a new organization by which additional users can be added for various collaboration abilities which allows malicious user to create new Zepl Notebooks with various languages contexts and deployment scenarios. Upon creating a new notebook with specially crafted malicious code a user can then launch remote code execution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://zepl.com https://seclists.org/fulldisclosure/2022/Feb/31

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8