CVE-2021-45967

high-risk
Published 2022-03-18

An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.

Do I need to act?

!
92.6% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Igniterealtime Pascom

References (8)

Exploit https://kerbit.io/research/read/blog/4
Exploit https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
Release Notes https://www.pascom.net/doc/en/release-notes/
Release Notes https://www.pascom.net/doc/en/release-notes/pascom19/
Exploit https://kerbit.io/research/read/blog/4
Exploit https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
Release Notes https://www.pascom.net/doc/en/release-notes/
Release Notes https://www.pascom.net/doc/en/release-notes/pascom19/
61
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 20/34 · Moderate
Exposure 9/34 · Low