Skip to main content

Emissary CVE-2021-32639

CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2021-07-02 security-advisories@github.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 02, 2021 - 16:15 nvd
CRITICAL 9.9

DescriptionNVD

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the RegisterPeerAction endpoint and the AddChildDirectoryAction endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

AnalysisAI

Emissary is a P2P-based, data-driven workflow engine. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the RegisterPeerAction endpoint and the AddChildDirectoryAction endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources. Affected products include: Nsa Emissary. Version information: version 6.4.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2021-32647 CRITICAL POC
9.1 Jun 01

Emissary is a P2P based data-driven workflow engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely

CVE-2021-32096 HIGH POC
8.8 May 07

The ConsoleAction component of U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authe

CVE-2021-32093 MEDIUM POC
6.5 May 07

The ConfigFileAction component of U.S. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2021-32092 MEDIUM POC
6.1 May 07

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. Rated medium severity (CVSS 6.1), thi

CVE-2021-32094 HIGH
8.8 May 07

U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2021-32095 HIGH
8.1 May 07

U.S. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2026-35581 HIGH
7.2 Apr 07

Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrat

CVE-2021-32634 HIGH
7.2 May 21

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerabil

CVE-2026-35583 MEDIUM
5.3 Apr 07

Emissary versions prior to 8.39.0 allow unauthenticated remote attackers to read arbitrary configuration files through p

CVE-2026-35571 MEDIUM
4.8 Apr 07

Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascri

Share

CVE-2021-32639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy