CVE-2021-42560

HIGH

Mitre Caldera - XXE

Title source: rule

Description

An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).

Exploits (1)

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2021-42560

View Code ZIP pw:eip

References (2)

Core 2

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/mitre/caldera/releases

Exploit, Third Party Advisory x_refsource_misc

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2021-42560-Unsafe%20XML%20Parsing-MITRE%20Caldera

Scores

CVSS v3 8.8

EPSS 0.1035

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (1)

mitre/caldera 2.9.0

Published Jan 12, 2022

Tracked Since Feb 18, 2026