CVE-2021-43829

Public Exploit
Unrestricted Upload of Files in Patrowl

Description

PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangerous type of file to server leading to XSS attacks and potentially other forms of code injection. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds for this issue.

Category

7.4
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 2.54% Top 20%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory huntr.dev
Affected: Patrowl PatrowlManager
Published at:
Updated at:

References

Link Tags
https://github.com/Patrowl/PatrowlManager/security/advisories/GHSA-5hc9-6hq4-2xfx third party advisory
https://github.com/Patrowl/PatrowlManager/commit/2287c9715d2e7ef11b44bb0ad4a57727654f2203 third party advisory patch
https://huntr.dev/bounties/17324785-f83a-4058-ac40-03f2bfa16399/ patch third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-43829?
CVE-2021-43829 has been scored as a high severity vulnerability.
How to fix CVE-2021-43829?
To fix CVE-2021-43829, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-43829 being actively exploited in the wild?
It is possible that CVE-2021-43829 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-43829?
CVE-2021-43829 affects Patrowl PatrowlManager.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.