CVE-2021-42127
published 2021-12-07CVE-2021-42127: A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
65.83%
99.2th percentile
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | avalanche | < 6.3.3 | 6.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is deserialization of untrusted data (CWE-502) in Ivanti Avalanche before 6.3.3 via the Inforail Service / Data Repository Service — monitor for suspicious deserialization activity on these components ↗
- ·No patch or version beyond 6.3.3 is confirmed safe from this CVE; upgrade Ivanti Avalanche to 6.3.3 or later to remediate ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2021-42127
vendor_ivanti·2021-12-07·CVSS 9.8
CVE-2021-42127 [CRITICAL] CWE-502 Ivanti Security Advisory: CVE-2021-42127
Ivanti Security Advisory: CVE-2021-42127
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
CVE IDs: CVE-2021-42127
CVSS Base Score: 9.8
Severity: CRITICAL
CWEs: CWE-502
GHSA
GHSA-5cxv-f998-83v8: A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6
ghsa_unreviewed·2021-12-08
CVE-2021-42127 [CRITICAL] CWE-502 GHSA-5cxv-f998-83v8: A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-12-07
Published