Pega InfinityÉí·ÝÑéÖ¤Èƹý©¶´£¨CVE-2021-27651£©

Ðû²¼Ê±¼ä 2021-05-19

0x00 ©¶´¸ÅÊö

CVE  ID

CVE-2021-27651

ʱ    ¼ä

2021-05-19

Àà   ÐÍ

Éí·ÝÑéÖ¤Èƹý

µÈ    ¼¶

ÑÏÖØ

Ô¶³ÌÀûÓÃ


Ó°Ï췶Χ

Pega Infinity 8.2.1 - 8.5.2

PoC/EXP

δ¹ûÈ»

ÔÚÒ°ÀûÓÃ

·ñ

 

0x01 ©¶´ÏêÇé

image.png

 

PEGA£¨Pega systems£©¹«Ë¾ÊǹæÔòÇý¶¯Á÷³Ì×Ô¶¯»¯Êг¡µÄÁìµ¼Õߣ¬ÒµÎñ±é²¼È«Çò£¬²¢×¨×¢ÓÚ´óÐÍÆóÒµ¿Í»§£¬Æä¿Í»§ÁìÓòÉæ¼°Ò½ÁƱ£½¡¹«Ë¾¡¢±£ÏÕ¹«Ë¾¡¢ÒøÐС¢Í¨ÐÅ·þÎñÌṩÉ̵È ¡£

Pega infinityÊÇPEGA¹«Ë¾µÄÒ»Ì×ÆóÒµÈí¼þÌ×¼þ£¬½áºÏÁË¿Í»§¼ÓÈëºÍÊý×ÖÁ÷³Ì×Ô¶¯»¯¹¦Ð§£¬´Ó¶ø½µµÍÁËÅÓ´óÐÔ£¬²¢¿ÉÒÔʵÏÖËæ×ÅÊý×Ö»¯×ªÐͶøÉú³¤µÄ¿ÉÀ©Õ¹ÎÞ´úÂëÓ¦Ó÷¨Ê½ ¡£

½üÈÕ£¬PegaÐÞ¸´ÁË Pega infinityÖеÄÒ»¸öÉí·ÝÑéÖ¤Èƹý©¶´£¨CVE-2021-27651£©£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ9.8 ¡£ÓÉÓÚÖØÖÃÃÜÂëµÄ´àÈõÑéÖ¤»úÖÆ£¬¹¥»÷Õß¿ÉÒÔͨ¹ýÀûÓõ±µØÕË»§µÄÃÜÂëÖØÖù¦Ð§À´Èƹýµ±µØÉí·ÝÑéÖ¤¼ì²é£¬×îÖÕʵÏÖδÊÚȨ·ÃÎÊ»òÃüÁîÖ´ÐÐ ¡£

 

0x02 ´¦Öý¨Òé

Ä¿Ç°PegaÒѾ­ÐÞ¸´ÁË´Ë©¶´£¬½¨Ò龡¿ìÓ¦ÓÃÄþ¾²¸üР¡£

ÏÂÔØÁ´½Ó£º

https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix

 

0x03 ²Î¿¼Á´½Ó

https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix

https://www.pega.com/infinity

https://nvd.nist.gov/vuln/detail/CVE-2021-27651

 

0x04 ʱ¼äÏß

2021-04-29  CNNVDÅû¶©¶´

2021-05-19  VSRCÐû²¼Äþ¾²Í¨¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png