Login Sign Up

CVE-2021-3317

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-3317 is an authenticated command injection vulnerability in KLog Server that allows attackers with valid credentials to execute arbitrary commands on the underlying operating system. The vulnerability exists in async.php which passes unsanitized user input from the source parameter to shell_exec(). This affects all KLog Server installations up to version 2.4.1.

💻 Affected Systems

Products:
  • KLog Server
Versions: through 2.4.1
Operating Systems: Linux, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the KLog Server web interface.

📦 What is this software?

Klog Server by Klogserver

View all CVEs affecting Klog Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data exfiltration, lateral movement, ransomware deployment, or complete server takeover.

🟠

Likely Case

Privilege escalation, data theft, installation of backdoors, or disruption of logging services.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and command execution restrictions are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid credentials but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2 or later

Vendor Advisory: https://docs.unsafe-inline.com/0day/klog-server-authenticated-command-injection

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download latest version from official source. 3. Stop KLog Server service. 4. Install updated version. 5. Restart KLog Server service. 6. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the source parameter before processing

Modify async.php to validate source parameter against allowed values

WAF Rule

all

Block malicious patterns in source parameter requests

Add WAF rule to block shell metacharacters in source parameter

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate KLog Server from critical systems
  • Enforce strong authentication policies and monitor for suspicious login attempts

🔍 How to Verify

Check if Vulnerable:

Check KLog Server version in web interface or configuration files

Check Version:

grep -i version /path/to/klog/config/files or check web interface

Verify Fix Applied:

Verify version is 2.4.2 or later and test source parameter with shell metacharacters

📡 Detection & Monitoring

Log Indicators:

  • Unusual commands in system logs
  • Multiple failed authentication attempts followed by successful login
  • Suspicious processes spawned from KLog Server

Network Indicators:

  • Outbound connections from KLog Server to unusual destinations
  • Unexpected network traffic patterns

SIEM Query:

source="KLog Server" AND (cmd.exe OR bash OR sh OR powershell) OR source="KLog Server" AND (source_parameter CONTAINS "|" OR source_parameter CONTAINS ";" OR source_parameter CONTAINS "&")

📊 Metadata

CVE ID: CVE-2021-3317
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: January 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3317, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)