Vulnerability Details : CVE-2021-32634
Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.
Vulnerability category: Execute code
Products affected by CVE-2021-32634
- cpe:2.3:a:nsa:emissary:6.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-32634
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32634
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H |
1.3
|
5.3
|
GitHub, Inc. |
CWE ids for CVE-2021-32634
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-32634
-
https://github.com/NationalSecurityAgency/emissary/commit/40260b1ec1f76cc92361702cc14fa1e4388e19d7
Merge pull request from GHSA-m5qf-gfmp-7638 · NationalSecurityAgency/emissary@40260b1 · GitHubPatch;Third Party Advisory
-
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638
Deserialization of Untrusted Data in Emissary · Advisory · NationalSecurityAgency/emissary · GitHubThird Party Advisory
Jump to