nvd-json-data-feeds/CVE-2021/CVE-2021-440xx/CVE-2021-44042.json

{
  "id": "CVE-2021-44042",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2021-12-14T18:15:08.673",
  "lastModified": "2022-07-12T17:42:04.277",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application."
    },
    {
      "lang": "es",
      "value": "Se ha detectado un problema en UiPath Assistant versi\u00f3n 21.4.4. Los datos controlados por el usuario suministrados al argumento --process-start del manejeador de URI para uipath-assistant:// no est\u00e1n codificados correctamente, resultando en que se inyecte contenido controlado por el atacante en el mensaje de error mostrado (cuando el contenido inyectado no coincide con un proceso existente). Un atacante determinado podr\u00eda aprovechar esto para ejecutar JavaScript en el contexto de la aplicaci\u00f3n Electron"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-116"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:uipath:assistant:21.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD11C5A9-956F-4B98-8712-C3085A055EC3"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://docs.uipath.com/robot/docs/release-notes-2021-10-4",
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://docs.uipath.com/robot/docs/uipath-assistant",
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ]
    }
  ]
}