CVE-2021-32634

Published: May 21, 2021Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.

Affected (1)

Products: Nsa: Emissary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nsa Emissary	Version 6.4.0

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

https://github.com/NationalSecurityAgency/emissary/commit/40260b1ec1f76cc92361702cc14fa1e4388e19d7

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638

Source: security-advisories@github.com

Third Party Advisory

https://github.com/NationalSecurityAgency/emissary/commit/40260b1ec1f76cc92361702cc14fa1e4388e19d7

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.