PT-2022-23207 · Blue Prism · Blue Prism Enterprise
Published
2022-08-25
·
Updated
2022-09-01
·
CVE-2022-36119
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Blue Prism Enterprise versions 6.0 through 7.01
Description
The issue allows a domain authenticated user to send a crafted message to the Blue Prism Server in a misconfigured environment, potentially leading to remote code execution due to insecure deserialization. This enables code to be executed in the context of the Blue Prism Server service.
Recommendations
For Blue Prism Enterprise versions 6.0 through 7.01, consider restricting access to the Blue Prism Application server to prevent exploitation. As a temporary workaround, review and secure the configuration of the environment to prevent exposure of the Blue Prism Application server.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blue Prism Enterprise