CVE-2021-45967

Опубликовано: 18 мар. 2022

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Высокий

Описание

An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.

Ссылки

https://kerbit.io/research/read/blog/4
Exploit
Patch
Third Party Advisory
https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
Exploit
Patch
Third Party Advisory
https://www.pascom.net/doc/en/release-notes/
Release Notes
Vendor Advisory
https://www.pascom.net/doc/en/release-notes/pascom19/
Release Notes
Vendor Advisory
https://kerbit.io/research/read/blog/4
Exploit
Patch
Third Party Advisory
https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
Exploit
Patch
Third Party Advisory
https://www.pascom.net/doc/en/release-notes/
Release Notes
Vendor Advisory
https://www.pascom.net/doc/en/release-notes/pascom19/
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pascom:cloud_phone_system:*:*:*:*:*:*:*:*

Версия до 7.19 (включая)

Конфигурация 2

Одно из

cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*

Версия до 4.5.0 (исключая)

cpe:2.3:a:igniterealtime:openfire:4.5.0:-:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.8933

Высокий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-6669-q2h5-85q9