Lucene search

GitHub_MCVELIST:CVE-2021-32639

HistoryJul 02, 2021 - 3:30 p.m.

CVE-2021-32639 Server-Side Request Forgery (SSRF) in emissary:emissary

2021-07-0215:30:11

CWE-918

GitHub_M

www.cve.org

ssrf

emissary

vulnerability

patch

version 7.0

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L

AI Score

9.6

Confidence

High

EPSS

0.007

Percentile

80.1%

JSON

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the RegisterPeerAction endpoint and the AddChildDirectoryAction endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

CNA Affected

[
  {
    "product": "emissary",
    "vendor": "NationalSecurityAgency",
    "versions": [
      {
        "status": "affected",
        "version": "<= 6.4.0"
      }
    ]
  }
]

References

github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java

github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java

github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L

AI Score

9.6

Confidence

High

EPSS

0.007

Percentile

80.1%

JSON

Related for CVELIST:CVE-2021-32639