CVE-2021-20318

Advisory lineage Upstream: 0 Downstream: 2

Downstream

RHSA-2022:0400 RHSA-2022:0401

Modified

Published: 23 Dec 2021, 19:48

Last modified:03 Aug 2024, 17:37

Vulnerability Summary

Overall Risk (default)

medium

29/100

CVSS Score

7.2 HIGH

v3.1 (nvd)

EPSS Score

2.13% LOW

2% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

23 Dec 2021, 19:48

Published

Vulnerability first disclosed

03 Aug 2024, 17:37

Last Modified

Vulnerability information updated

Description

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.

CVSS Metrics

v3.1•HIGH•Score: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 2.13%• Percentile: 84%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

redhat•jboss_enterprise_application_platform
7.3.9:general_availability | 7.4.0:general_availability

References (1)

https://bugzilla.redhat.com/show_bug.cgi?id=2010559