CVE-2021-28154 Information

Description

DISPUTED Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface which manipulates the readFile and writeFile APIs. NOTE: the vendor states \The way we secured the app is that it does not allow any remote scripts to be opened no unsafe scripts to be evaluated no remote sites to be browsed.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://github.com/camunda/camunda-modeler/issues/2143

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

9.1