CVE-2021-20076 — Deserialization of Untrusted Data in Tenable.sc

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

8.8HIGHNVD

EPSS

3.4%

top 12.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tenable Tenable.sc

Timeline

PublishedMar 3

Latest updateMay 24

Description

Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the Tenable.sc server via Hypertext Preprocessor unserialization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDtenable/tenable.sc5.13.0 — 5.17.0

▶CVEListV5tenable/tenable.sc5.13.0 through 5.17.0

🔴Vulnerability Details

GHSA

GHSA-3ccq-6jj2-4rxc: Tenable↗2022-05-24

▶

CVEList

CVE-2021-20076: Tenable↗2021-03-03

▶