Miggo Logo
Miggo Vulnerability Database
CVE-2021-40146

CVE-2021-40146:
Remote Code Execution in Any23

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-40146
GHSA ID
GHSA-99px-7724-484v
EPSS Score
0.86676%
CWE
-
Published
9/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.any23:apache-any23maven< 2.52.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references YAMLExtractor.java as the source. RCE in YAML processors typically stems from unsafe deserialization patterns. The critical clue is the involvement of YAML parsing combined with the RCE outcome, which strongly suggests the extract() method (or equivalent YAML loading logic) uses an unsafe deserialization approach. The patch in version 2.5 likely replaced Yaml.load() with Yaml.safeLoad() or added type restrictions during deserialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* R*mot* *o** *x**ution (R**) vuln*r**ility w*s *is*ov*r** in t** *ny** Y*ML*xtr**tor.j*v* *il* *n* is known to *****t *ny** v*rsions < *.*. R** vuln*r**iliti*s *llow * m*li*ious **tor to *x**ut* *ny *o** o* t**ir **oi** on * r*mot* m***in* ov*r L*N,

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s Y*ML*xtr**tor.j*v* *s t** sour**. R** in Y*ML pro**ssors typi**lly st*ms *rom uns*** **s*ri*liz*tion p*tt*rns. T** *riti**l *lu* is t** involv*m*nt o* Y*ML p*rsin* *om*in** wit* t** R** out*om*, w*i** stron*ly