Skip to main content

Emissary CVE-2021-32096

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2021-05-07 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
May 07, 2021 - 04:15 nvd
HIGH 8.8

DescriptionNVD

The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.

AnalysisAI

The ConsoleAction component of U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter. Affected products include: Nsa Emissary.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2021-32639 CRITICAL POC
9.9 Jul 02

Emissary is a P2P-based, data-driven workflow engine. Rated critical severity (CVSS 9.9), this vulnerability is remotely

CVE-2021-32647 CRITICAL POC
9.1 Jun 01

Emissary is a P2P based data-driven workflow engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely

CVE-2021-32093 MEDIUM POC
6.5 May 07

The ConfigFileAction component of U.S. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2021-32092 MEDIUM POC
6.1 May 07

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. Rated medium severity (CVSS 6.1), thi

CVE-2021-32094 HIGH
8.8 May 07

U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2021-32095 HIGH
8.1 May 07

U.S. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2026-35581 HIGH
7.2 Apr 07

Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrat

CVE-2021-32634 HIGH
7.2 May 21

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerabil

CVE-2026-35583 MEDIUM
5.3 Apr 07

Emissary versions prior to 8.39.0 allow unauthenticated remote attackers to read arbitrary configuration files through p

CVE-2026-35571 MEDIUM
4.8 Apr 07

Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascri

Share

CVE-2021-32096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy