Insecure Deserialization Of Untrusted Data Causing Remote Code Execution Vulnerability 

(CVE-2021-35217)

Download PDF

Summary

Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI.  An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.

Affected Products

  • Patch Manager 2020.2.5 and earlier

Fixed Software Release

Acknowledgments

  • Jangggggg working with Trend Micro Zero Day Initiative

Advisory Details

Severity

8.9 High

Advisory ID

First Published

08/20/2021

Fixed Version

Patch Manager 2020.2.6 HF1

CVSS Score