Skip to main content

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CVE-2021-3540

Severity High
Score 9/10

Summary

By abusing the 'install rpm info detail' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0.

  • LOW
  • NETWORK
  • SINGLE
  • COMPLETE
  • COMPLETE
  • COMPLETE

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

Advisory Timeline

  • Published