CVE-2021-32634— Deserialization of Untrusted Data in Emissary
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-32634
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Deserialization of Untrusted Data in Emissary
Source: NVD (National Vulnerability Database)
Vulnerability Description
Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Emissary 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Emissary是一个应用软件。一个基于P2P的数据驱动的工作流引擎,可在异构的可能广泛分布的多层P2P网络计算资源中运行。 Emissary 6.4.0 版本中存在安全漏洞,该漏洞源于在已通过鉴权的post请求到 WorkSpaceClientEnqueue.action 时,会导致不安全的反序列化,可能会引起远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| NationalSecurityAgency | emissary | < 6.5.0 | - |
II. Public POCs for CVE-2021-32634
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-32634
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: emissary
- CVE-2026-35582
Emissary has an OS Command Injection via Unvalidated IN_FILE - CVE-2026-35583
Emissary has a Path Traversal via Blacklist Bypass in Config - CVE-2026-35581
Emissary has a Command Injection via PLACE_NAME Configuratio - CVE-2026-35580
Emissary has GitHub Actions Shell Injection via Workflow Inp - CVE-2026-35571
Emissary has Stored XSS via Navigation Template Link Injecti
Same vendor: NationalSecurityAgency
- CVE-2026-35582
Emissary has an OS Command Injection via Unvalidated IN_FILE - CVE-2026-35583
Emissary has a Path Traversal via Blacklist Bypass in Config - CVE-2026-35581
Emissary has a Command Injection via PLACE_NAME Configuratio - CVE-2026-35580
Emissary has GitHub Actions Shell Injection via Workflow Inp - CVE-2026-35571
Emissary has Stored XSS via Navigation Template Link Injecti
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-41586
ObjectInputStream.readObject() without ObjectInputFilter in - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization
V. Comments for CVE-2021-32634
No comments yet