| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.0 | $0-$5k | 0.49 |
A vulnerability, which was classified as critical, has been found in ManageIQ jansa-4/kasparov-2/lasker-1. This issue affects some unknown processing of the component MiqExpression. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-74. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
ManageIQ is an open-source management platform. In versions prior to jansa-4, kasparov-2, and lasker-1, there is a flaw in the MiqExpression module of ManageIQ where a low privilege user could enter a crafted Ruby string which would be evaluated. Successful exploitation will allow an attacker to execute arbitrary code with root privileges on the host system. There are patches for this issue in releases named jansa-4, kasparov-2, and lasker-1. If possible, restrict users, via RBAC, to only the part of the application that they need access to. While MiqExpression is widely used throughout the product, restricting users can limit the surface of the attack.
The weakness was released 07/22/2021. The advisory is shared at github.com. The identification of this vulnerability is CVE-2021-32756 since 05/12/2021. The exploitation is known to be easy. The attack may be initiated remotely. Required for exploitation is a simple authentication. Neither technical details nor an exploit are publicly available.
Applying a patch is able to eliminate this problem.
Name
VulDB Meta Base Score: 6.3
VulDB Meta Temp Score: 6.0
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 🔍 | 🔍 | 🔍 | 🔍 | 🔍 | 🔍 |
| 🔍 | 🔍 | 🔍 | 🔍 | 🔍 | 🔍 |
| 🔍 | 🔍 | 🔍 | 🔍 | 🔍 | 🔍 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Privilege escalation
CWE: CWE-74
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍Recommended: Patch
Status: 🔍
0-Day Time: 🔒
Patch: github.com
05/12/2021 CVE assigned
07/22/2021 Advisory disclosed
07/22/2021 VulDB entry created
07/26/2021 VulDB last updateAdvisory: github.com
Status: Confirmed
Confirmation: 🔒
CVE: CVE-2021-32756 (🔒)
Created: 07/22/2021 12:53
Updated: 07/26/2021 14:41
Changes: (1) source_cve_cna
Complete: 🔍
Download the whitepaper to learn more about our service!
