Lucene search

GitHub Advisory DatabaseGHSA-29Q4-GXJQ-RX5C

HistoryFeb 10, 2021 - 2:31 a.m.

Remote Code Execution in SCIMono

2021-02-1002:31:53

CWE-59

CWE-62

CWE-74

CWE-77

CWE-690

CWE-917

GitHub Advisory Database

github.com

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

0.004 Low

EPSS

Percentile

73.5%

JSON

Impact

It is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.

Patches

The issue was fixed on 0.0.19 version

Affected configurations

Vulners

Node

com.sap.scimono\scimonoMatchserver

CPENameOperatorVersion
com.sap.scimono:scimono-serverlt0.0.19

CPE	Name	Operator	Version
	com.sap.scimono:scimono-server	lt	0.0.19

References

github.com/advisories/GHSA-29q4-gxjq-rx5c

github.com/SAP/scimono/commit/413b5d75fa94e77876af0e47be76475a23745b80

github.com/SAP/scimono/security/advisories/GHSA-29q4-gxjq-rx5c

mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19

nvd.nist.gov/vuln/detail/CVE-2021-21479

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

0.004 Low

EPSS

Percentile

73.5%

JSON

Related for GHSA-29Q4-GXJQ-RX5C