CVE-2021-42237

critical

Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

References

https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/

https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker?&web_view=true

https://www.tenable.com/blog/cisa-top-20-cves-exploited-peoples-republic-of-china-state-sponsored-actors-aa22-279a

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776

https://blog.assetnote.io/2021/11/02/sitecore-rce/

http://sitecore.com

http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2021-11-05

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical