Login Sign Up

CVE-2021-41280

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-41280 is a critical command injection vulnerability in Sharetribe Go marketplace software that allows attackers to execute arbitrary operating system commands. This affects installations that don't have the AWS SNS notification token configured, which is the default configuration. Attackers can potentially gain full control of affected systems.

💻 Affected Systems

Products:
  • Sharetribe Go
Versions: All versions before 10.2.1
Operating Systems: Any OS running Sharetribe Go
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when sns_notification_token configuration parameter is not set (default configuration).

📦 What is this software?

Sharetribe by Sharetribe

View all CVEs affecting Sharetribe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data theft, system takeover, and potential ransomware deployment on vulnerable installations.

🟢

If Mitigated

No impact if proper configuration is applied or patched version is installed.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication on internet-facing installations.
🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Command injection vulnerabilities are typically easy to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.1

Vendor Advisory: https://github.com/sharetribe/sharetribe/security/advisories/GHSA-hjjc-p9hr-424c

Restart Required: Yes

Instructions:

1. Backup your Sharetribe Go installation and database. 2. Update to version 10.2.1 or later using your package manager or by downloading from GitHub. 3. Restart the application server. 4. Verify the update was successful.

🔧 Temporary Workarounds

Configure SNS Notification Token

all

Set a secret AWS SNS notification token to prevent exploitation

Set configuration parameter: sns_notification_token = 'your_secret_token_here'

🧯 If You Can't Patch

  • Immediately configure the sns_notification_token parameter with a strong secret value
  • Implement network segmentation and restrict access to Sharetribe Go instances

🔍 How to Verify

Check if Vulnerable:

Check if sns_notification_token is unset in configuration and version is below 10.2.1

Check Version:

Check Sharetribe Go version in admin panel or application configuration

Verify Fix Applied:

Verify version is 10.2.1 or higher and sns_notification_token is configured

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns
  • Suspicious AWS SNS notification attempts
  • Error logs containing command injection attempts

Network Indicators:

  • Unexpected outbound connections from Sharetribe Go server
  • Traffic to unexpected AWS SNS endpoints

SIEM Query:

Search for command injection patterns in web application logs: *cmd* OR *exec* OR *system* OR *shell*

📊 Metadata

CVE ID: CVE-2021-41280
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: November 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41280, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)