CVE-2021-41110 : cwlviewer is a web application to view and share Common Workflow Language workfl

cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch.

Published 2021-10-01 13:15:08

Updated 2021-10-08 16:21:26

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-41110

Commonwl » Cwlviewer
Versions before (<) 1.3.1
cpe:2.3:a:commonwl:cwlviewer:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41110

EPSS FAQ

0.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41110

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	3.9	5.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2021-41110

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2021-41110

https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7

CWL Viewer: deserialization of untrusted data can lead to complete takeover by an attacker · Advisory · common-workflow-language/cwlviewer · GitHub
Patch;Third Party Advisory
https://github.com/common-workflow-language/cwlviewer/commit/f6066f09edb70033a2ce80200e9fa9e70a5c29de

Use Yaml SafeConstructor (#355) · common-workflow-language/cwlviewer@f6066f0 · GitHub
Patch;Third Party Advisory
https://www.fatalerrors.org/a/analysis-of-the-snakeyaml-deserialization-in-java-security.html

Analysis of the SnakeYaml deserialization in Java Security
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-41110

Products affected by CVE-2021-41110

Exploit prediction scoring system (EPSS) score for CVE-2021-41110

CVSS scores for CVE-2021-41110

CWE ids for CVE-2021-41110

References for CVE-2021-41110