CVE-2021-28154 — CRITICAL (9.1)

Q: How severe is CVE-2021-28154?

CVE-2021-28154 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-28154?

Check the references section above for vendor advisories and patch information. Affected products include: Camunda Modeler.

Vulnerability Description

Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. NOTE: the vendor states "The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Camunda	Modeler	<= 4.6.0

Related Weaknesses (CWE)

CWE-862

References

https://github.com/camunda/camunda-modeler/issues/2143ExploitIssue TrackingThird Party Advisory
https://github.com/camunda/camunda-modeler/issues/2143ExploitIssue TrackingThird Party Advisory

FAQ

What is CVE-2021-28154?

CVE-2021-28154 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulate...

How severe is CVE-2021-28154?

CVE-2021-28154 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-28154?

Check the references section above for vendor advisories and patch information. Affected products include: Camunda Modeler.