Caldera (versions <=2.8.1) does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components which should only be accessible by admin users.
The vendor's disclosure for this vulnerability can be found here.
This vulnerability requires:
- Valid non-admin user credentials
More details and the exploitation process can be found in this PDF.
This vulnerability allows a non-admin user to exploit the vulnerability CVE-2021-42559: Command Injection via Configurations in MITRE Caldera in order to achieve remote code execution.