Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.
References
| Link | Resource |
|---|---|
| https://github.com/NationalSecurityAgency/emissary/commit/40260b1ec1f76cc92361702cc14fa1e4388e19d7 | Patch Third Party Advisory |
| https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638 | Third Party Advisory |
Configurations
History
27 May 2021, 22:37
| Type | Values Removed | Values Added |
|---|---|---|
| References | (CONFIRM) https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638 - Third Party Advisory | |
| References | (MISC) https://github.com/NationalSecurityAgency/emissary/commit/40260b1ec1f76cc92361702cc14fa1e4388e19d7 - Patch, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 7.2 |
| CPE | cpe:2.3:a:nsa:emissary:6.4.0:*:*:*:*:*:*:* |
21 May 2021, 19:14
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-502 |
21 May 2021, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-05-21 18:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-32634
Mitre link : CVE-2021-32634
CVE.ORG link : CVE-2021-32634
JSON object : View
Products Affected
nsa
- emissary
CWE
CWE-502
Deserialization of Untrusted Data