PT-2021-13754 · Tenable · Tenable.Sc
Nicolas Verdier
·
Published
2021-03-03
·
Updated
2021-03-10
·
CVE-2021-20076
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0
Description:
The issue allows an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the Tenable.sc server via Hypertext Preprocessor unserialization.
Recommendations:
For versions 5.13.0 through 5.17.0, update to a version that contains a fix for this issue to prevent Remote Code Execution (RCE) on the Tenable.sc server.
As a temporary workaround, consider restricting access to the Hypertext Preprocessor unserialization functionality until a patch is available.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tenable.Sc