CVE-2021-23894: Unauthorized deserialization of untrusted data in McAfee DBSec
First published: Wed Jun 02 2021(Updated: )
Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server.
Credit: psirt@mcafee.com trellixpsirt@trellix.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| McAfee Database Security | <4.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-23894.
What is the title of this vulnerability?
The title of this vulnerability is Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2.
What is the severity rating of CVE-2021-23894?
The severity rating of CVE-2021-23894 is critical with a score of 9.8.
How does CVE-2021-23894 affect McAfee Database Security?
CVE-2021-23894 affects McAfee Database Security (DBSec) prior to version 4.8.2.
How can an attacker exploit CVE-2021-23894?
A remote unauthenticated attacker can exploit CVE-2021-23894 by sending a carefully constructed Java serialized object to the DBSec server, allowing them to create a reverse shell with administrator privileges.
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/mcafee
- canonical/mcafee database security