CVE-2021-45414: Datarobot Remote Code Execution ≈ Packet Storm

Exploit Title: Datarobot -- Remote Code ExecutionDate: 9/28/2021Vendor Homepage: https://www.datarobot.comSoftware Link: https://app.datarobot.com/Version: TBD - awaiting build version from vendorTested on: The issue affects all versions of the product up to the date of this submissionExploit Authors: Mike Coers & Pathfynder IncExploit Contact: sm0key a t dnsfiltrate_io & micheal.coers a t pathfynder dot_ioExploit Technique: RemoteCVE ID: CVE-2021-45414##### 1. DescriptionThe application allows for the submission of docker environments, and java drivers which execute arbitrary remote code.This vulnerability effects all previous versions of the Datarobot product suite.#### 2. Disclosure Timeline10/26/21 – Discovery and Exploitation10/28/21 – Vendor Notified2/16/22 – CVE Assigned2/18/22 - Public Disclosure#### 3. MitigationHotfix applied to vendors SAAS solution, no action is necessary at this time however.