Beanstalkd < 1.4.6 Remote Beanstalkd Command Injection

High Nessus Plugin ID 46884

Synopsis

The remote host has an application that may allow modification of data via a restricted set of commands.

Description

The installed version of Beanstalkd allows injection of Beanstalk commands.

A malicious producer process or client could exploit this issue to inject arbitrary beanstalkd commands via the 'PUT' command to view status of existing jobs or delete jobs from the Beanstalkd queue without co-operation from the consumer process or the client.

Solution

Upgrade to version 1.4.6 or later.

See Also

http://kr.github.io/beanstalkd/2010/05/23/1.4.6-release-notes.html

https://bugs.gentoo.org/show_bug.cgi?id=322457

Plugin Details

Severity: High

ID: 46884

File Name: beanstalkd_remote_beanstalk_cmd_inject.nasl

Version: 1.10

Type: remote

Family: Misc.

Published: 2010/06/14

Updated: 2018/11/15

Dependencies: 46883

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

Exploit Available: false

Exploit Ease: No known exploits are available

Exploited by Nessus: true

Patch Publication Date: 2010/05/23

Vulnerability Publication Date: 2010/05/23

Reference Information

CVE: CVE-2010-2060

BID: 40516

Secunia: 40032