Lucene search

[email protected]NVD:CVE-2021-22855

HistoryFeb 17, 2021 - 2:15 p.m.

CVE-2021-22855

2021-02-1714:15:19

CWE-502

[email protected]

web.nvd.nist.gov

hr portal

soar cloud system

deserialization

arbitrary commands

cve-2021-22855

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.009

Percentile

82.5%

JSON

The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.

Affected configurations

Nvd

Node

hr_portal_projecthr_portalMatch7.3.2020.1013

VendorProductVersionCPE
hr_portal_projecthr_portal7.3.2020.1013cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hr_portal_project	hr_portal	7.3.2020.1013	cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:::::::*

References

www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e

www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.009

Percentile

82.5%

JSON

Related for NVD:CVE-2021-22855

prion1 cve1 cvelist1