Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2021-32647
HistoryJun 01, 2021 - 2:15 p.m.

CVE-2021-32647

2021-06-0114:15:10
CWE-74
CWE-470
[email protected]
web.nvd.nist.gov
22
6
emissary
cve-2021-32647
rce
remote code execution
emissary vulnerability

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.2%

JSON

Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The CreatePlace REST endpoint accepts an sppClassName parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: <constructor>(String, String, String). An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application. Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data. As a work around disable network access to Emissary from untrusted sources.

Affected configurations

Vulners
NVD
Node
nationalsecurityagencyemissaryMatch6.4.0
CPENameOperatorVersion
nsa:emissarynsa emissaryeq6.4.0

CNA Affected

[
  {
    "product": "emissary",
    "vendor": "NationalSecurityAgency",
    "versions": [
      {
        "status": "affected",
        "version": "= 6.4.0"
      }
    ]
  }
]

Social References

More

Related

osv 1
prion 1
nvd 1
cvelist 1
osv
osv
CVE-2021-32647
2021-06-01 14:15:10
prion
prion
Design/Logic Flaw
2021-06-01 14:15:00
nvd
nvd
CVE-2021-32647
2021-06-01 14:15:10
cvelist
cvelist
CVE-2021-32647 Post-authentication Remote Code Execution (RCE) in emissary:emissary
2021-05-28 23:05:10

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.2%

JSON
Related for CVE-2021-32647
osv1prion1nvd1cvelist1