The cross site request forgery vulnerability exists in the recent version of CloverDX Server on all GUI based endpoints (JSF). The malicious attacker can use that vulnerability to perform any actions that is allowed through the GUI endpoint. One of the features of CloverDX Server is to create manual task execution –execute shell commands which the attacker can use to achieve remote code executionon the machine itself.
Vulnerability: CVE-2021-29995: Cross site request forgery (CSRF) leading to Remote Code Execution on the CloverDX Server
Risk: High
CVSS 3.1 score: 8.8
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E: P/RL:O
The cross site request forgery vulnerability exists in the recent version of CloverDX Server on all GUI based endpoints (JSF). The malicious attacker can use that vulnerability to perform any actions that is allowed through the GUI endpoint. One of the features of CloverDX Server is to create manual task execution –execute shell commands which the attacker can use to achieve remote code executionon the machine itself.
Fix
Fixed in JSF 2.2.16 by the following commit:
Bug 27445260: https://github.com/javaee/mojarra/commit/55afe42437facad5274f609f47761755e5b64bf0
Previously used version of JSF: 2.2.15
Credit
Thanks to Patryk Bogusz for reporting the issue.