Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2021-32756
HistoryJul 21, 2021 - 7:15 p.m.

CVE-2021-32756

2021-07-2119:15:07
CWE-74
CWE-94
[email protected]
web.nvd.nist.gov
3
manageiq
miqexpression
arbitrary code execution
low privilege
user restriction
rbac
security patch
vulnerability
restricted access

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.9%

JSON

ManageIQ is an open-source management platform. In versions prior to jansa-4, kasparov-2, and lasker-1, there is a flaw in the MiqExpression module of ManageIQ where a low privilege user could enter a crafted Ruby string which would be evaluated. Successful exploitation will allow an attacker to execute arbitrary code with root privileges on the host system. There are patches for this issue in releases named jansa-4, kasparov-2, and lasker-1. If possible, restrict users, via RBAC, to only the part of the application that they need access to. While MiqExpression is widely used throughout the product, restricting users can limit the surface of the attack.

Affected configurations

Nvd
Node
manageiqmanageiqMatchjansa-1-
OR
manageiqmanageiqMatchjansa-1alpha1
OR
manageiqmanageiqMatchjansa-1beta1
OR
manageiqmanageiqMatchjansa-1rc1
OR
manageiqmanageiqMatchjansa-1rc2
OR
manageiqmanageiqMatchjansa-2
OR
manageiqmanageiqMatchjansa-3
OR
manageiqmanageiqMatchkasparov-1-
OR
manageiqmanageiqMatchkasparov-1alpha1
OR
manageiqmanageiqMatchkasparov-1beta1
OR
manageiqmanageiqMatchkasparov-1beta1.1
OR
manageiqmanageiqMatchlasker-1beta1
VendorProductVersionCPE
manageiqmanageiqjansa-1cpe:2.3:a:manageiq:manageiq:jansa-1:-:*:*:*:*:*:*
manageiqmanageiqjansa-1cpe:2.3:a:manageiq:manageiq:jansa-1:alpha1:*:*:*:*:*:*
manageiqmanageiqjansa-1cpe:2.3:a:manageiq:manageiq:jansa-1:beta1:*:*:*:*:*:*
manageiqmanageiqjansa-1cpe:2.3:a:manageiq:manageiq:jansa-1:rc1:*:*:*:*:*:*
manageiqmanageiqjansa-1cpe:2.3:a:manageiq:manageiq:jansa-1:rc2:*:*:*:*:*:*
manageiqmanageiqjansa-2cpe:2.3:a:manageiq:manageiq:jansa-2:*:*:*:*:*:*:*
manageiqmanageiqjansa-3cpe:2.3:a:manageiq:manageiq:jansa-3:*:*:*:*:*:*:*
manageiqmanageiqkasparov-1cpe:2.3:a:manageiq:manageiq:kasparov-1:-:*:*:*:*:*:*
manageiqmanageiqkasparov-1cpe:2.3:a:manageiq:manageiq:kasparov-1:alpha1:*:*:*:*:*:*
manageiqmanageiqkasparov-1cpe:2.3:a:manageiq:manageiq:kasparov-1:beta1:*:*:*:*:*:*
Rows per page:
1-10 of 121

Related

prion 1
cvelist 1
cve 1
osv 1
prion
prion
Code injection
2021-07-21 19:15:00
cvelist
cvelist
CVE-2021-32756 Arbitrary eval through MiqExpression
2021-07-21 18:45:15
cve
cve
CVE-2021-32756
2021-07-21 19:15:07
osv
osv
CVE-2021-32756
2021-07-21 19:15:07

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.9%

JSON
Related for NVD:CVE-2021-32756
prion1cvelist1cve1osv1