9.8

CVE-2021-34371

Exploit

EPSS 64.92%
Veröffentlicht 05.08.2021 20:15:09
Zuletzt bearbeitet 21.11.2024 06:10:15
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Neo4j ≫ Neo4j SwEditioncommunity Version <= 3.4.18

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	64.92%	0.984

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.exploit-db.com/exploits/50170

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2021-34371

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-34371

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-34371

EUVD