Accellion released patches addressing vulnerabilities in its File Transfer Appliance.

CVE-2021-27104 — Accellion File Transfer Appliance

Recently, Accellion — secure file sharing empowers employees to work with third parties across a variety of secure channels: collaboration, virtual data rooms (VDR), managed file transfer (MFT), and SFTP.

A OS command injection vulnerability with HIGH severity bug was reported as the tool linked to a growing list of data breaches since December.

However, an unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to an FTA administrative endpoint.

In addition, below are the vulnerability base metrics for the vulnerability CVE-2021-27104

Importantly, the vulnerable platforms include — Accellion FTA 9_12_411 and earlier. In addition, the non-vulnerable platforms are — Accellion FTA 9_12_416 and later.

Other Accellion FTA Vulnerabilities:

• CVE-2021-27101 — a SQL injection vulnerability. However, an unauthenticated, remote attacker could exploit the flaw by sending a specially crafted request as part of the Host header to the document_root file on a vulnerable FTA endpoint.
  Also, the vulnerability scored with 9.8 severity

• CVE-2021-27102 — another OS command injection vulnerability.
  However, an attacker with local access and low privileges could exploit this vulnerability.
  Also, the vulnerability scored with 7.8 severity

• CVE-2021-27103 — a Server-Side Request Forgery (SSRF) vulnerability. However, an unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to the wmProgressstat file on a vulnerable FTA endpoint.
  Also, the vulnerability scored with 9.8 severity

Reference:

https://www.tenable.com/blog/accellion-patches-file-transfer-appliance-vulnerabilities-cve-2021-27101-cve-2021-27102-cve-2021-27103-cve-2021-27104

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!