Datarobot suffers from a remote code execution vulnerability.
877e15f9e624af437d7fbdb1b93bad7a
Exploit Title: Datarobot -- Remote Code Execution
Date: 9/28/2021
Vendor Homepage: https://www.datarobot.com
Software Link: https://app.datarobot.com/
Version: TBD - awaiting build version from vendor
Tested on: The issue affects all versions of the product up to the date of this submission
Exploit Authors: Mike Coers & Pathfynder Inc
Exploit Contact: sm0key a t dnsfiltrate_io & micheal.coers a t pathfynder dot_io
Exploit Technique: Remote
CVE ID: CVE-2021-45414
##### 1. Description
The application allows for the submission of docker environments, and java drivers which execute arbitrary remote code.
This vulnerability effects all previous versions of the Datarobot product suite.
#### 2. Disclosure Timeline
10/26/21 – Discovery and Exploitation
10/28/21 – Vendor Notified
2/16/22 – CVE Assigned
2/18/22 - Public Disclosure
#### 3. Mitigation
Hotfix applied to vendors SAAS solution, no action is necessary at this time however.