CVE-2021-32829 – Post-authentication Remote Code Execution (RCE) in ZStack REST API

https://notcve.org/view.php?id=CVE-2021-32829

ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution (RCE) via bypass of the Groovy shell sandbox. The REST API exposes the GET zstack/v1/batch-queries?script endpoint which is backed up by the BatchQueryAction class. Messages are represented by the APIBatchQueryMsg, dispatched to the QueryFacadeImpl facade and handled by the BatchQuery class. • https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html https://github.com/zstackio/zstack/security/advisories/GHSA-6xgq-7rqg-x3q5 https://securitylab.github.com/advisories/GHSL-2021-065-zstack • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •