CVE-2021-23758

Опубликовано: 03 дек. 2021

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

CVSS2: 7.5

EPSS Высокий

Описание

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

Ссылки

http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.html
https://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971
Third Party Advisory
http://packetstormsecurity.com/files/175677/AjaxPro-Deserialization-Remote-Code-Execution.html
https://github.com/michaelschwarz/Ajax.NET-Professional/commit/b0e63be5f0bb20dfce507cb8a1a9568f6e73de57
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-DOTNET-AJAXPRO2-1925971
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ajaxpro.2_project:ajaxpro.2:*:*:*:*:*:.net:*:*

Версия до 21.10.30.1 (исключая)

EPSS

Процентиль: 99%

0.86171

Высокий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502

Связанные уязвимости

GHSA-6r7c-6w96-8pvw

CVSS3: 9.8

github

около 4 лет назад

Remote Code Execution in AjaxNetProfessional

EPSS

Процентиль: 99%

0.86171

Высокий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502