Vulnerability Details : CVE-2021-35047
Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with user level access to the CLI to inject root level commands into the component and neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
Exploit prediction scoring system (EPSS) score for CVE-2021-35047
Probability of exploitation activity in the next 30 days: 0.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-35047
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
|
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
Fidelis Cybersecurity, Inc. |
CWE ids for CVE-2021-35047
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security@fidelissecurity.com (Secondary)
References for CVE-2021-35047
-
https://support.fidelissecurity.com/hc/en-us/categories/360001842694-Advisories-News-and-Policies
Fidelis CybersecurityPermissions Required;Vendor Advisory
-
https://www.securifera.com/blog/2021/06/24/operation-eagle-eye/
Operation Eagle Eye – SecuriferaExploit;Third Party Advisory
Products affected by CVE-2021-35047
- cpe:2.3:a:fidelissecurity:deception:*:*:*:*:*:*:*:*
- cpe:2.3:a:fidelissecurity:deception:9.4:*:*:*:*:*:*:*
- cpe:2.3:a:fidelissecurity:network:*:*:*:*:*:*:*:*
- cpe:2.3:a:fidelissecurity:network:9.4:*:*:*:*:*:*:*