CVE-2021-21371 is a vulnerability in Tenable Jira Cloud
Published on March 10, 2021
Execution of untrusted code through config file
Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-jira-cloud before version 1.1.21, it is possible to run arbitrary commands through the yaml.load() method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. This is fixed in version 1.1.21 by using yaml.safe_load() instead of yaml.load().
Vulnerability Analysis
CVE-2021-21371 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-21371 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2021-21371
Want to know whenever a new CVE is published for Tenable Jira Cloud? stack.watch will email you.
Affected Versions
tenable integration-jira-cloud Version < 1.1.21 is affected by CVE-2021-21371Vulnerable Packages
The following package name and versions may be associated with CVE-2021-21371
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| pip | tenable-jira-cloud | < 1.1.21 | 1.1.21 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.