{
  "id": "CVE-2021-40089",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2021-08-25T02:15:08.280",
  "lastModified": "2021-09-09T19:10:14.747",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disabled it's not possible to create new such publishers, but existing publishers would continue to run."
    },
    {
      "lang": "es",
      "value": "Se ha detectado un problema en PrimeKey EJBCA versiones anteriores a 7.6.0. El Editor Personalizado de Prop\u00f3sito General, que normalmente se ejecuta para invocar un script local tras una operaci\u00f3n de publicaci\u00f3n, pod\u00eda seguir ejecut\u00e1ndose si el System Configuration setting Enable External Script Access estaba deshabilitado. Con esta configuraci\u00f3n deshabilitada, no es posible crear nuevos editores de este tipo, pero los editores existentes seguir\u00edan ejecut\u00e1ndose."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 2.3,
          "baseSeverity": "LOW"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
          "accessVector": "LOCAL",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 1.9
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 3.4,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:primekey:ejbca:*:*:*:*:enterprise:*:*:*",
              "versionEndExcluding": "7.6.0",
              "matchCriteriaId": "69AD9042-C5D5-4D8D-8243-072E5D69E223"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://support.primekey.com/news/posts/54",
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}