Beanstalkd < 1.4.6 Remote Beanstalkd Command Injection

high Nessus Plugin ID 46884

Synopsis

The remote host has an application that may allow modification of data via a restricted set of commands.

Description

The installed version of Beanstalkd allows injection of Beanstalk commands.

A malicious producer process or client could exploit this issue to inject arbitrary beanstalkd commands via the 'PUT' command to view status of existing jobs or delete jobs from the Beanstalkd queue without co-operation from the consumer process or the client.

Solution

Upgrade to version 1.4.6 or later.

See Also

http://kr.github.io/beanstalkd/2010/05/23/1.4.6-release-notes.html

https://bugs.gentoo.org/show_bug.cgi?id=322457

Plugin Details

Severity: High

ID: 46884

File Name: beanstalkd_remote_beanstalk_cmd_inject.nasl

Version: 1.10

Type: remote

Family: Misc.

Published: 6/14/2010

Updated: 11/15/2018

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Exploited by Nessus: true

Patch Publication Date: 5/23/2010

Vulnerability Publication Date: 5/23/2010

Reference Information

CVE: CVE-2010-2060

BID: 40516

Secunia: 40032