Caldera (versions <=2.8.1) contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the Rest API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
The vendor's disclosure for this vulnerability can be found here.
This vulnerability requires:
- Valid user credentials
- Waiting for the Caldera application to be restarted
More details and the exploitation process can be found in this PDF.