How severe is CVE-2021-32647?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2021-32647?

This is classified as CWE-74, which is a common weakness in software security.

CVE-2021-32647

CRITICAL Year: 2021

CVSS v3 Score

9.1

Critical

CVSS v2 Score

6.5

Medium

Weakness Type

CWE-74

View all →

Vulnerability Description

Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36) REST endpoint accepts an `sppClassName` parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: `<constructor>(String, String, String)`. An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application. Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data. As a work around disable network access to Emissary from untrusted sources.

CVE-2014-7236

CRITICAL

CVSS:9.1(Critical)

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.

CWE-742014

CVE-2015-7544

CRITICAL

CVSS:9.1(Critical)

redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manager (aka RHEV Manager) before 3.6 allows remote authenticated users with the SuperUser role on any Entity to execute arbitrary comma...

CWE-742015

CVE-2021-20736

CRITICAL

CVSS:9.1(Critical)

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.

CWE-742021

CVE-2021-43837

CRITICAL

CVSS:9.1(Critical)

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. W...

CWE-742021

CVE-2022-31631

CRITICAL

CVSS:9.1(Critical)

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driv...

CWE-742022

CVE-2023-33241

CRITICAL

CVSS:9.1(Critical)

Crypto wallets implementing the GG18 or GG20 TSS protocol might allow an attacker to extract a full ECDSA private key by injecting a malicious pallier key and cheating in the range proof. Depending on...

CWE-742023

CVE-2021-32647

Vulnerability Description

Related Vulnerabilities

CVE-2014-7236

CVE-2015-7544

CVE-2021-20736

CVE-2021-43837

CVE-2022-31631

CVE-2023-33241