Nsa Emissary

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Nsa Emissary.

By the Year

In 2026 there have been 0 vulnerabilities in Nsa Emissary. Emissary did not have any published security vulnerabilities last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	0	0.00
2024	0	0.00
2023	0	0.00
2022	0	0.00
2021	8	8.06

It may take a day or so for new Emissary vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Nsa Emissary Security Vulnerabilities

Emissary is a P2P-based, data-driven workflow engine
CVE-2021-32639 9.9 - Critical - July 02, 2021

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

SSRF

Emissary is a P2P based data-driven workflow engine
CVE-2021-32647 9.1 - Critical - June 01, 2021

Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36) REST endpoint accepts an `sppClassName` parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: `<constructor>(String, String, String)`. An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application. Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data. As a work around disable network access to Emissary from untrusted sources.

Reflection Injection

Emissary is a distributed, peer-to-peer, data-driven workflow framework
CVE-2021-32634 7.2 - High - May 21, 2021

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.

Marshaling, Unmarshaling

The ConfigFileAction component of U.S
CVE-2021-32093 6.5 - Medium - May 07, 2021

The ConfigFileAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to read arbitrary files via the ConfigName parameter.

AuthZ

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S
CVE-2021-32092 6.1 - Medium - May 07, 2021

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the uuid parameter.

XSS

U.S. National Security Agency (NSA) Emissary 5.9.0 allows an
CVE-2021-32095 8.1 - High - May 07, 2021

U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.

AuthZ

U.S. National Security Agency (NSA) Emissary 5.9.0 allows an
CVE-2021-32094 8.8 - High - May 07, 2021

U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.

Unrestricted File Upload

The ConsoleAction component of U.S
CVE-2021-32096 8.8 - High - May 07, 2021

The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.

Session Riding

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Nsa Emissary or by Nsa? Click the Watch button to subscribe.

Nsa
Vendor

Nsa Emissary
Product

Nsa Emissary

Don't miss out!

By the Year

Recent Nsa Emissary Security Vulnerabilities

Emissary is a P2P-based, data-driven workflow engine CVE-2021-32639 9.9 - Critical - July 02, 2021

Emissary is a P2P based data-driven workflow engine CVE-2021-32647 9.1 - Critical - June 01, 2021

Emissary is a distributed, peer-to-peer, data-driven workflow framework CVE-2021-32634 7.2 - High - May 21, 2021

The ConfigFileAction component of U.S CVE-2021-32093 6.5 - Medium - May 07, 2021

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S CVE-2021-32092 6.1 - Medium - May 07, 2021

U.S. National Security Agency (NSA) Emissary 5.9.0 allows an CVE-2021-32095 8.1 - High - May 07, 2021

U.S. National Security Agency (NSA) Emissary 5.9.0 allows an CVE-2021-32094 8.8 - High - May 07, 2021

The ConsoleAction component of U.S CVE-2021-32096 8.8 - High - May 07, 2021