CVE-2021-32835 - OpenCVE

Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eclipse	Keti

Configuration 1 [-]

cpe:2.3:a:eclipse:keti:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-09T01:50:11

Updated: 2024-08-03T23:33:56.105Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32835

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-09T02:15:15.077

Modified: 2021-09-16T13:52:48.973

Link: CVE-2021-32835

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "keti", "vendor": "eclipse", "versions": [{"status": "affected", "version": "<= a1c8dbe"}]}], "descriptions": [{"lang": "en", "value": "Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-09T01:50:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/"}], "source": {"advisory": "GHSL-2021-063", "discovery": "INTERNAL"}, "title": " Groovy Sandbox escape in Eclipse Keti", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32835", "STATE": "PUBLIC", "TITLE": " Groovy Sandbox escape in Eclipse Keti"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "keti", "version": {"version_data": [{"version_value": "<= a1c8dbe"}]}}]}, "vendor_name": "eclipse"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693 Protection Mechanism Failure"}]}]}, "references": {"reference_data": [{"name": "https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/", "refsource": "CONFIRM", "url": "https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/"}]}, "source": {"advisory": "GHSL-2021-063", "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.105Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32835", "datePublished": "2021-09-09T01:50:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:56.105Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:keti:-:*:*:*:*:*:*:*", "matchCriteriaId": "2E856027-8498-4042-AFCE-74C5984D72CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063."}, {"lang": "es", "value": "Eclipse Keti es un servicio que fue dise\u00f1ado para proteger la API RESTfuls usando el Control de Acceso Basado en Atributos (ABAC). En Keti, una vulnerabilidad de escape de sandbox puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota despu\u00e9s de la autenticaci\u00f3n. Se sabe que esta vulnerabilidad se presenta en el \u00faltimo commit en el momento de escribir este CVE (commit a1c8dbe). Para m\u00e1s detalles, consulte la referencia GHSL-2021-063"}], "id": "CVE-2021-32835", "lastModified": "2021-09-16T13:52:48.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-09T02:15:15.077", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}