Vulnerabilities > CVE-2021-32639 - Server-Side Request Forgery (SSRF) vulnerability in NSA Emissary

CVSS 9.9 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

nsa

CWE-918

critical

NVD

Published: 2021-07-02

Updated: 2021-07-06

Summary

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

Vulnerable Configurations

Part	Description	Count
Application	Nsa NSA Emissary 5.0.0 NSA Emissary 5.1.0 NSA Emissary 5.2.0 NSA Emissary 5.3.0 NSA Emissary 5.4.1 NSA Emissary 5.5.0 NSA Emissary 5.6.0 NSA Emissary 5.7.0 NSA Emissary 5.8.0 NSA Emissary 5.9.0 NSA Emissary 5.10.0 NSA Emissary 5.11.0 NSA Emissary 6.0.0 NSA Emissary 6.1.0 NSA Emissary 6.2.0 NSA Emissary 6.3.0 NSA Emissary 6.4.0	17

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References