CVE-2021-21371
MEDIUMtenable-jira-cloud < 1.1.21 - Remote Code Execution via YAML Deserialization
Title source: llmDescription
Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-jira-cloud before version 1.1.21, it is possible to run arbitrary commands through the yaml.load() method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. This is fixed in version 1.1.21 by using yaml.safe_load() instead of yaml.load().
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/tenable/integration-jira-cloud/security/advisories/GHSA-8278-88vv-x98r
Patch, Third Party Advisory x_refsource_misc
https://github.com/tenable/integration-jira-cloud/commit/f8c2095fd529e664e7fa25403a0a4a85bb3907d0
Product, Third Party Advisory x_refsource_misc
https://pypi.org/project/tenable-jira-cloud/
Third Party Advisory x_refsource_misc
https://pyyaml.docsforge.com/master/documentation/#loading-yaml
Scores
CVSS v3
5.0
EPSS
0.0008
EPSS Percentile
23.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-502
Status
published
Products (2)
pypi/tenable-jira-cloud
0 - 1.1.21PyPI
tenable/jira_cloud
< 1.1.21
Published
Mar 10, 2021
Tracked Since
Feb 18, 2026