SB2021060709 - Remote code execution in Emissary
Published: June 7, 2021 Updated: April 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2021-32647)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the CreatePlace REST endpoint. A remote administrator can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-32639)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in RegisterPeerAction and AddChildDirectoryAction endpoints when handling crafted POST requests. A remote privileged user can send a specially crafted request to disclose sensitive information.
Some forged requests are sent to attacker-controlled hosts, including authenticated requests to the /emissary/RegisterPeer.action endpoint and non-authenticated requests to the /emissary/Heartbeat.action endpoint.
Remediation
Install update from vendor's website.
References
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-ph73-7v9r-wg32
- https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-2p8j-2rf3-h4xr
- https://github.com/advisories/GHSA-2p8j-2rf3-h4xr