// For flags

CVE-2021-41569

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.

SAS/Intrnet versión 9.4 build 1520 y anteriores permiten una Inclusión de Archivos Locales. La biblioteca de muestras (incluida por defecto) en el archivo appstart.sas, permite a usuarios finales de la aplicación acceder al programa sample.webcsf1.sas, que contiene variables de macro controladas por el usuario que son pasadas a la macro DS2CSF. Los usuarios pueden escapar del contexto de la variable configurada controlada por el usuario y añadir funciones adicionales nativas de la macro pero no incluidas como variables dentro de la biblioteca. Esto incluye una función que recupera archivos del sistema operativo anfitrión

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-09-23 CVE Reserved
  • 2021-11-19 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-10-11 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sas
Search vendor "Sas"
 Sas\/intrnet
Search vendor "Sas" for product "Sas\/intrnet"
 < 9.4
Search vendor "Sas" for product "Sas\/intrnet" and version " < 9.4"
-
Affected
Sas
Search vendor "Sas"
 Sas\/intrnet
Search vendor "Sas" for product "Sas\/intrnet"
 9.4
Search vendor "Sas" for product "Sas\/intrnet" and version "9.4"
-
Affected
Sas
Search vendor "Sas"
 Sas\/intrnet
Search vendor "Sas" for product "Sas\/intrnet"
 9.4
Search vendor "Sas" for product "Sas\/intrnet" and version "9.4"
build1520
Affected