Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2021-37578
HistoryJul 29, 2021 - 7:15 a.m.

CVE-2021-37578

2021-07-2907:15:06
CWE-502
[email protected]
web.nvd.nist.gov
47
2
cve-2021-37578
apache juddi
rmi
deserialization vulnerability
remote code execution
uddi protocol
nvd
security issue

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.9%

JSON

Apache jUDDI uses several classes related to Java’s Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.

Affected configurations

Vulners
NVD
Node
apachejuddiRange3.3.10
CPENameOperatorVersion
apache:juddiapache juddilt3.3.10

CNA Affected

[
  {
    "product": "Apache jUDDI",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.3.10",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

Related

prion 1
github 1
osv 1
nvd 1
cnvd 1
cvelist 1
prion
prion
Design/Logic Flaw
2021-07-29 07:15:00
github
github
Deserialization of Untrusted Data in Apache jUDDI
2021-08-09 20:41:37
osv
osv
Deserialization of Untrusted Data in Apache jUDDI
2021-08-09 20:41:37
nvd
nvd
CVE-2021-37578
2021-07-29 07:15:06
cnvd
cnvd
Apache jUDDI code issue vulnerability
2021-07-30 00:00:00
cvelist
cvelist
CVE-2021-37578 Remote code execution via RMI
2021-07-29 07:05:10

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.9%

JSON
Related for CVE-2021-37578
prion1github1osv1nvd1cnvd1cvelist1