CVE-2021-32827 — MEDIUM (6.1)

Vulnerability Description

MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. An attacker that can trick a victim into visiting a malicious site while running MockServer locally, will be able to run arbitrary code on the MockServer machine. With an overly broad default CORS configuration MockServer allows any site to send cross-site requests. Additionally, MockServer allows you to create dynamic expectations using Javascript or Velocity templates. Both engines may allow an attacker to execute arbitrary code on-behalf of MockServer. By combining these two issues (Overly broad CORS configuration + Script injection), an attacker could serve a malicious page so that if a developer running MockServer visits it, they will get compromised. For more details including a PoC see the referenced GHSL-2021-059.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Mock-Server	Mockserver	All versions
Oracle	Communications Cloud Native Core Policy	1.14.0

Related Weaknesses (CWE)

CWE-74 CWE-79

References

https://securitylab.github.com/advisories/GHSL-2021-059-mockserver/ExploitThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-059-mockserver/ExploitThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-32827?

CVE-2021-32827 is a vulnerability with a CVSS score of 6.1 (MEDIUM). MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. An attacker that can trick a victim into visiting a malicious site while running MockS...

How severe is CVE-2021-32827?

CVE-2021-32827 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32827?

Check the references section above for vendor advisories and patch information. Affected products include: Mock-Server Mockserver, Oracle Communications Cloud Native Core Policy.