CVE-2021-32647

Name of the Vulnerable Software and Affected Versions Emissary (affected versions not specified)

Description The issue affects Emissary, a P2P based data-driven workflow engine, allowing post-authentication Remote Code Execution (RCE). The "CreatePlace" REST endpoint is vulnerable, accepting an sppClassName parameter to load an arbitrary class, which can be instantiated with a specific constructor signature. An attacker may find a gadget class in the application classpath to achieve RCE, disrupt the application, crash it, or leak sensitive data.

Recommendations As a temporary workaround, consider disabling network access to Emissary from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.