CVE-2021-43829

Опубликовано: 14 дек. 2021

Источник: nvd

CVSS3: 7.4

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangerous type of file to server leading to XSS attacks and potentially other forms of code injection. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds for this issue.

Ссылки

https://github.com/Patrowl/PatrowlManager/commit/2287c9715d2e7ef11b44bb0ad4a57727654f2203
Patch
Third Party Advisory
https://github.com/Patrowl/PatrowlManager/security/advisories/GHSA-5hc9-6hq4-2xfx
Third Party Advisory
https://huntr.dev/bounties/17324785-f83a-4058-ac40-03f2bfa16399/
Exploit
Patch
Third Party Advisory
https://github.com/Patrowl/PatrowlManager/commit/2287c9715d2e7ef11b44bb0ad4a57727654f2203
Patch
Third Party Advisory
https://github.com/Patrowl/PatrowlManager/security/advisories/GHSA-5hc9-6hq4-2xfx
Third Party Advisory
https://huntr.dev/bounties/17324785-f83a-4058-ac40-03f2bfa16399/
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:patrowl:patrowlmanager:*:*:*:*:*:*:*:*

Версия до 1.7.7 (исключая)

EPSS

Процентиль: 84%

0.02277

Низкий

7.4 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

EPSS

Процентиль: 84%

0.02277

Низкий

7.4 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434