CVE-2019-5029

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-5029

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-5029.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-5029

Published

2019-11-13T23:15:12.153Z

Modified

2026-04-10T04:18:27.954468Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0790

Affected packages

Git / github.com/soabase/exhibitor

Affected ranges

Type

GIT

Repo

https://github.com/soabase/exhibitor

Events

Introduced

2c095a4e92d7df7e6764f4cac40e2b74b9160b88

Last affected

9cf9c84e4c48f8883bccb869e9ef7c2c1ac03ab1

Database specific

{
    "versions": [
        {
            "introduced": "1.0.9"
        },
        {
            "last_affected": "1.7.1"
        }
    ]
}

Affected versions

1.*

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.14-2

1.0.9

1.1.0

1.2.0

1.4.10

1.4.11

1.4.8

1.4.9

1.5.0

1.5.1

1.5.2

exhibitor-1.*

exhibitor-1.3.1

exhibitor-1.3.2

exhibitor-1.3.3

exhibitor-1.3.4

exhibitor-1.3.5

exhibitor-1.3.6

exhibitor-1.3.7

exhibitor-1.4.0

exhibitor-1.4.1

exhibitor-1.4.2

exhibitor-1.4.3

exhibitor-1.4.4

exhibitor-1.4.5

exhibitor-1.4.6

exhibitor-1.4.7

exhibitor-1.6.0

exhibitor-1.7.0

exhibitor-1.7.1

v1.*

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.6-rc.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-5029.json"