cbcvebase.
CVE-2021-21479
published 2021-02-09

CVE-2021-21479: In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.

PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.99%
95.0th percentile
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.

Affected

2 ranges
VendorProductVersion rangeFixed in
sapscimono< 0.0.190.0.19
sap_sescimono< 0.0.190.0.19

Detection & IOCsextracted from sources · hover to see the quote

url/Schemas/$%7B''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec("id")')%7D
command''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec("id")')
  • Detect exploitation attempts by matching HTTP responses containing all four strings simultaneously: 'The attribute value', 'java.lang.UNIXProcess@', 'has invalid value!', and '"status" : "400"' in the response body.
  • Monitor HTTP GET requests to the /Schemas/ endpoint containing URL-encoded SSTI payloads (e.g., %7B and %7D wrapping Java expression injection via ScriptEngineManager).
  • Presence of 'java.lang.UNIXProcess@' in a 400 error response body from SCIMono's /Schemas/ endpoint is a strong indicator of successful SSTI/RCE exploitation.
  • ·The vulnerability affects SCIMono versions before 0.0.19 only; patched versions are not exploitable via this vector.
  • ·The exploit uses a single unauthenticated GET request (max-request: 1), meaning no prior authentication or session is required, lowering the bar for mass exploitation.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.