CVE-2021-32639

Опубликовано: 02 июл. 2021

Источник: nvd

CVSS3: 7.2

CVSS3: 9.9

CVSS2: 6.5

EPSS Низкий

Описание

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the RegisterPeerAction endpoint and the AddChildDirectoryAction endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

Ссылки

https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java
Exploit
Third Party Advisory
https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java
Exploit
Third Party Advisory
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
Exploit
Third Party Advisory
https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java
Exploit
Third Party Advisory
https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java
Exploit
Third Party Advisory
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nsa:emissary:*:*:*:*:*:*:*:*

Версия до 6.4.0 (включая)

EPSS

Процентиль: 73%

0.00781

Низкий

7.2 High

CVSS3

9.9 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-918

EPSS

Процентиль: 73%

0.00781

Низкий

7.2 High

CVSS3

9.9 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-918