Lucene search

GitHub_MCVELIST:CVE-2021-32634

HistoryMay 21, 2021 - 5:15 p.m.

CVE-2021-32634 Deserialization of Untrusted Data in Emissary

2021-05-2117:15:11

CWE-502

GitHub_M

www.cve.org

emissary

vulnerability

deserialization

remote code execution

cve-2021-32634

patched

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H

EPSS

0.005

Percentile

75.5%

JSON

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the WorkSpaceClientEnqueue.action REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.

CNA Affected

[
  {
    "product": "emissary",
    "vendor": "NationalSecurityAgency",
    "versions": [
      {
        "status": "affected",
        "version": "< 6.5.0"
      }
    ]
  }
]

References

github.com/NationalSecurityAgency/emissary/commit/40260b1ec1f76cc92361702cc14fa1e4388e19d7

github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H

EPSS

0.005

Percentile

75.5%

JSON

Related for CVELIST:CVE-2021-32634