Insecure Deserialization Of Untrusted Data Causing Remote Code Execution Vulnerability (CVE-2021-35217)

Summary

Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI.  An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.

Affected Products

  • Patch Manager 2020.2.5 and earlier

Fixed Software Release

Acknowledgments

  • Jangggggg working with Trend Micro Zero Day Initiative
Advisory Details
Severity
High
Advisory ID

CVE-2021-35217

First Published
08/20/2021
Fixed Version

Patch Manager 2020.2.6 HF1

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:L/UI:N

/S:C/C:H/I:H/A:L

Download PDF
Send an Email