Server-Side Request Forgery (SSRF) Vulnerability in Emissary Workflow Engine

Server-Side Request Forgery (SSRF) Vulnerability in Emissary Workflow Engine

CVE-2021-32639 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.

Learn more about our Cis Benchmark Audit For Server Software.