CVE-2021-21371 MEDIUM

CVE-2021-21371: Execution of untrusted code through config file

Vendor Tenable

Product integration-jira-cloud

Weakness CWE-502 · Unsafe deserialization

Published March 10, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-jira-cloud before version 1.1.21, it is possible to run arbitrary commands through the yaml.load() method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. This is fixed in version 1.1.21 by using yaml.safe_load() instead of yaml.load().

Key dates

02Disclosure timeline

March 10, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-21371 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

CVE-2021-21371: Execution of untrusted code through config file

01Description

02Disclosure timeline

03References

04Related CVE