Vulnerability Details CVE-2021-32639
Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.8%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 6.5
References
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/AddChildDirectoryAction.java
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/RegisterPeerAction.java
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
Products affected by CVE-2021-32639
-
cpe:2.3:a:nsa:emissary:5.0.0
-
cpe:2.3:a:nsa:emissary:5.1.0
-
cpe:2.3:a:nsa:emissary:5.10.0
-
cpe:2.3:a:nsa:emissary:5.11.0
-
cpe:2.3:a:nsa:emissary:5.2.0
-
cpe:2.3:a:nsa:emissary:5.3.0
-
cpe:2.3:a:nsa:emissary:5.4.1
-
cpe:2.3:a:nsa:emissary:5.5.0
-
cpe:2.3:a:nsa:emissary:5.6.0
-
cpe:2.3:a:nsa:emissary:5.7.0
-
cpe:2.3:a:nsa:emissary:5.8.0
-
cpe:2.3:a:nsa:emissary:5.9.0
-
cpe:2.3:a:nsa:emissary:6.0.0
-
cpe:2.3:a:nsa:emissary:6.1.0
-
cpe:2.3:a:nsa:emissary:6.2.0
-
cpe:2.3:a:nsa:emissary:6.3.0
-
cpe:2.3:a:nsa:emissary:6.4.0