Lucene search

[email protected]NVD:CVE-2021-30137

HistorySep 15, 2021 - 1:15 p.m.

CVE-2021-30137

2021-09-1513:15:07

CWE-611

[email protected]

web.nvd.nist.gov

assyst 10 sp7.5

authenticated xxe

ssrf

xml unmarshalling

json

xml data

malicious xml

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS

0.002

Percentile

57.6%

JSON

Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points.

Affected configurations

Nvd

Node

axiossystemsassystMatch10sp7.5

VendorProductVersionCPE
axiossystemsassyst10cpe:2.3:a:axiossystems:assyst:10:sp7.5:*:*:*:*:*:*

Vendor	Product	Version	CPE
axiossystems	assyst	10	cpe:2.3:a:axiossystems:assyst:10:sp7.5::::::

References

github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2021-30137.pdf

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS

0.002

Percentile

57.6%

JSON

Related for NVD:CVE-2021-30137

cve1 cvelist1 prion1