Lucene search

MitreCVELIST:CVE-2021-30137

HistorySep 15, 2021 - 12:35 p.m.

CVE-2021-30137

2021-09-1512:35:09

mitre

www.cve.org

assyst 10 sp7.5

authenticated xxe

ssrf

xml unmarshalling

json

xml data

malicious xml

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

AI Score

8.3

Confidence

High

EPSS

0.002

Percentile

57.6%

JSON

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points.

References

github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2021-30137.pdf

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

AI Score

8.3

Confidence

High

EPSS

0.002

Percentile

57.6%

JSON

Related for CVELIST:CVE-2021-30137