CVE-2021-21371: Execution of untrusted code through config file
First published: Wed Mar 10 2021(Updated: )
### Impact It is possible to run arbitrary commands through the yaml.load() method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. ### Workarounds Manually adjust yaml.load() to yaml.safe_load() ### For more information If you have any questions or comments about this advisory: * Open an issue in [tenable/integration-jira-cloud](https://github.com/tenable/integration-jira-cloud/issues) * Email us at [vulnreport@tenable.com](mailto:vulnreport@tenable.com)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tenable Jira Cloud | <1.1.21 | |
| pip/tenable-jira-cloud | <1.1.21 | 1.1.21 |
Remedy
https://github.com/tenable/integration-jira-cloud/commit/f8c2095fd529e664e7fa25403a0a4a85bb3907d0
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/tenable/integration-jira-cloud/commit/f8c2095fd529e664e7fa25403a0a4a85bb3907d0
- https://github.com/tenable/integration-jira-cloud/security/advisories/GHSA-8278-88vv-x98r
- https://pypi.org/project/tenable-jira-cloud/
- https://pyyaml.docsforge.com/master/documentation/#loading-yaml
- https://nvd.nist.gov/vuln/detail/CVE-2021-21371
- https://github.com/pypa/advisory-database/tree/main/vulns/tenable-jira-cloud/PYSEC-2021-60.yaml
- https://pypi.org/project/tenable-jira-cloud
- https://github.com/advisories/GHSA-8278-88vv-x98r (Advisory)
Frequently Asked Questions
What is CVE-2021-21371?
CVE-2021-21371 is a vulnerability in Tenable for Jira Cloud that allows arbitrary code execution.
How severe is CVE-2021-21371?
CVE-2021-21371 has a severity score of 8.6, which is considered high.
What software is affected by CVE-2021-21371?
Tenable Jira Cloud versions up to but not including 1.1.21 are affected by CVE-2021-21371.
How can I fix CVE-2021-21371?
To fix CVE-2021-21371, update your Tenable Jira Cloud installation to a version higher than 1.1.21.
Where can I find more information about CVE-2021-21371?
You can find more information about CVE-2021-21371 on the GitHub page of Tenable for Jira Cloud and the PyPI page of tenable-jira-cloud.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/title
- agent/weakness
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8278-88vv-x98r
- alias/CVE-2021-21371
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/tags
- agent/author
- collector/github-advisory
- vendor/tenable
- canonical/tenable jira cloud
- package-manager/pip