{"api_version":"1","generated_at":"2026-04-22T22:50:58+00:00","cve":"CVE-2021-28398","urls":{"html":"https://cve.report/CVE-2021-28398","api":"https://cve.report/api/cve/CVE-2021-28398.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28398","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28398"},"summary":{"title":"CVE-2021-28398","description":"A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-09-05 17:15:00","updated_at":"2022-10-01 02:18:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf","name":"https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf","refsource":"CONFIRM","tags":[],"title":"Remote Code Execution through Before-Script field in Local Filesystem Harvester · Advisory · geonetwork/core-geonetwork · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/geonetwork/core-geonetwork","name":"https://github.com/geonetwork/core-geonetwork","refsource":"MISC","tags":[],"title":"GitHub - geonetwork/core-geonetwork: GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://geonetwork-opensource.org/","name":"https://geonetwork-opensource.org/","refsource":"MISC","tags":[],"title":"Home — GeoNetwork opensource","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html","name":"https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html","refsource":"MISC","tags":[],"title":"Version 3.6.0 — GeoNetwork opensource v3.10 GeoNetwork Documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28398","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28398","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28398","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"geonetwork-opensource","cpe5":"geonetwork","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28398","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"geonetwork-opensource","cpe5":"geonetwork","cpe6":"4.0.0","cpe7":"alpha1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28398","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"geonetwork-opensource","cpe5":"geonetwork","cpe6":"4.0.0","cpe7":"alpha2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28398","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"osgeo","cpe5":"geonetwork","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28398","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"osgeo","cpe5":"geonetwork","cpe6":"4.0.0","cpe7":"alpha1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28398","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"osgeo","cpe5":"geonetwork","cpe6":"4.0.0","cpe7":"alpha2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28398","qid":"730700","title":"GeoNetwork OS Command Injection Vulnerbility"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28398","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://geonetwork-opensource.org/","refsource":"MISC","name":"https://geonetwork-opensource.org/"},{"url":"https://github.com/geonetwork/core-geonetwork","refsource":"MISC","name":"https://github.com/geonetwork/core-geonetwork"},{"url":"https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html","refsource":"MISC","name":"https://geonetwork-opensource.org/manuals/trunk/en/overview/change-log/version-3.6.0.html"},{"refsource":"CONFIRM","name":"https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf","url":"https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-cf8p-c88c-h9jf"}]}},"nvd":{"publishedDate":"2022-09-05 17:15:00","lastModifiedDate":"2022-10-01 02:18:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.0.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.0","versionEndExcluding":"3.12.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:osgeo:geonetwork:4.0.0:alpha1:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28398","Ordinal":"203565","Title":"CVE-2021-28398","CVE":"CVE-2021-28398","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28398","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}