CVE-2021-32639 HIGH

CVE-2021-32639: Server-Side Request Forgery (SSRF) in emissary:emissary

Vendor Nationalsecurityagency
Product emissary
Weakness CWE-918 · SSRF
Published July 2, 2021
Last update August 3, 2024

CVSS base score

7.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

Key dates

02Disclosure timeline

July 2, 2021 CVE published
August 3, 2024 Record updated