CVE-2021-40146

4 documents4 sources

Severity

9.8CRITICAL

EPSS

4.3%

top 11.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Any23 Apache Any23

Timeline

PublishedSep 11

Latest updateSep 13

Description

A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/any23< 2.5

▶Mavenorg.apache.any23:apache-any23< 2.5

▶CVEListV5apache_software_foundation/apache_any23Apache Any23 — 2.5

🔴Vulnerability Details

OSV

Remote Code Execution in Any23↗2021-09-13

▶

GHSA

Remote Code Execution in Any23↗2021-09-13

▶

CVEList

A Remote Code Execution (RCE) vulnerability exists in Apache Any23 YAMLExtractor.java↗2021-09-11

▶