2021-32756 | ManageIQ MiqExpression injection
|CVSS Meta Temp Score||Current Exploit Price (≈)||CTI Interest Score|
A vulnerability, which was classified as critical, has been found in ManageIQ jansa-4/kasparov-2/lasker-1. This issue affects some unknown processing of the component MiqExpression. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-74. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
ManageIQ is an open-source management platform. In versions prior to jansa-4, kasparov-2, and lasker-1, there is a flaw in the MiqExpression module of ManageIQ where a low privilege user could enter a crafted Ruby string which would be evaluated. Successful exploitation will allow an attacker to execute arbitrary code with root privileges on the host system. There are patches for this issue in releases named jansa-4, kasparov-2, and lasker-1. If possible, restrict users, via RBAC, to only the part of the application that they need access to. While MiqExpression is widely used throughout the product, restricting users can limit the surface of the attack.
The weakness was released 07/22/2021. The advisory is shared at github.com. The identification of this vulnerability is CVE-2021-32756 since 05/12/2021. The exploitation is known to be easy. The attack may be initiated remotely. Required for exploitation is a simple authentication. Neither technical details nor an exploit are publicly available.
Applying a patch is able to eliminate this problem.
VulDB Meta Base Score: 6.3
VulDB Meta Temp Score: 6.0
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Privilege escalation
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
Active Actors: 🔍
Active APT Groups: 🔍Recommended: Patch
0-Day Time: 🔒
05/12/2021 CVE assigned
07/22/2021 +71 days Advisory disclosed
07/22/2021 +0 days VulDB entry created
07/26/2021 +4 days VulDB last updateAdvisory: github.com
CVE: CVE-2021-32756 (🔒)
Created: 07/22/2021 12:53
Updated: 07/26/2021 14:41
Changes: (1) source_cve_cna
Download the whitepaper to learn more about our service!