Vulnerability Description
An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pascom | Cloud Phone System | <= 7.19 |
| Igniterealtime | Openfire | < 4.5.0 |
Related Weaknesses (CWE)
References
- https://kerbit.io/research/read/blog/4ExploitPatchThird Party Advisory
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.htmlExploitPatchThird Party Advisory
- https://www.pascom.net/doc/en/release-notes/Release NotesVendor Advisory
- https://www.pascom.net/doc/en/release-notes/pascom19/Release NotesVendor Advisory
- https://kerbit.io/research/read/blog/4ExploitPatchThird Party Advisory
- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.htmlExploitPatchThird Party Advisory
- https://www.pascom.net/doc/en/release-notes/Release NotesVendor Advisory
- https://www.pascom.net/doc/en/release-notes/pascom19/Release NotesVendor Advisory
FAQ
What is CVE-2021-45967?
CVE-2021-45967 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended ...
How severe is CVE-2021-45967?
CVE-2021-45967 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-45967?
Check the references section above for vendor advisories and patch information. Affected products include: Pascom Cloud Phone System, Igniterealtime Openfire.