CVE-2021-21479
published 2021-02-09CVE-2021-21479: In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.99%
95.0th percentile
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | scimono | < 0.0.19 | 0.0.19 |
| sap_se | scimono | < 0.0.19 | 0.0.19 |
Detection & IOCsextracted from sources · hover to see the quote
url/Schemas/$%7B''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec("id")')%7D↗
command''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec("id")')↗
- →Detect exploitation attempts by matching HTTP responses containing all four strings simultaneously: 'The attribute value', 'java.lang.UNIXProcess@', 'has invalid value!', and '"status" : "400"' in the response body. ↗
- →Monitor HTTP GET requests to the /Schemas/ endpoint containing URL-encoded SSTI payloads (e.g., %7B and %7D wrapping Java expression injection via ScriptEngineManager). ↗
- →Presence of 'java.lang.UNIXProcess@' in a 400 error response body from SCIMono's /Schemas/ endpoint is a strong indicator of successful SSTI/RCE exploitation. ↗
- ·The vulnerability affects SCIMono versions before 0.0.19 only; patched versions are not exploitable via this vector. ↗
- ·The exploit uses a single unauthenticated GET request (max-request: 1), meaning no prior authentication or session is required, lowering the bar for mass exploitation. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Remote Code Execution in SCIMono
ghsa·2021-02-10
CVE-2021-21479 [HIGH] CWE-59 Remote Code Execution in SCIMono
Remote Code Execution in SCIMono
### Impact
It is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.
### Patches
The issue was fixed on [0.0.19 version](https://mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19)
OSV
Remote Code Execution in SCIMono
osv·2021-02-10
CVE-2021-21479 [HIGH] Remote Code Execution in SCIMono
Remote Code Execution in SCIMono
### Impact
It is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.
### Patches
The issue was fixed on [0.0.19 version](https://mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19)
VulnCheck
SAP scimono Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2021·CVSS 9.1
CVE-2021-21479 [CRITICAL] SAP scimono Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
SAP scimono Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
Affected: SAP scimono
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-30&host_type=src&vulnerability=cve-2021-21479; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-03&host_type=src&vulnerability=cve-2021-21479; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
No detection rules found.
Nuclei
SCIMono <0.0.19 - Remote Code Execution
nuclei·CVSS 9.1
CVE-2021-21479 [CRITICAL] SCIMono <0.0.19 - Remote Code Execution
SCIMono <0.0.19 - Remote Code Execution
SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and
execute java expressions and compromise the availability and integrity of the system.
Template:
id: CVE-2021-21479
info:
name: SCIMono <0.0.19 - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and
execute java expressions and compromise the availability and integrity of the system.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade SCIMono to version 0.0.19 or later to mitigate this vulnerability.
ref
2021-02-09
Published
Exploited in the wild