CVE-2021-32634 HIGH

CVE-2021-32634: Deserialization of Untrusted Data in Emissary

Vendor Nationalsecurityagency
Product emissary
Weakness CWE-502 · Unsafe deserialization
Published May 21, 2021
Last update August 3, 2024

CVSS base score

7.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H

What the vulnerability does

01Description

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.

Key dates

02Disclosure timeline

May 21, 2021 CVE published
August 3, 2024 Record updated