CVE-2021-41280

Summary

Sharetribe Go is a source available marketplace software. In affected versions operating system command injection is possible on installations of Sharetribe Go, that do not have a secret AWS Simple Notification Service (SNS) notification token configured via the sns_notification_token configuration parameter. This configuration parameter is unset by default. The vulnerability has been patched in version 10.2.1. Users who are unable to upgrade should set thesns_notification_token configuration parameter to a secret value.

Affected Software

VendorProductVersion RangeStatus
sharetribesharetribe< 10.2.1affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CVE Program Container

Additional References

References