Login Sign Up

CVE-2021-3210

9.6 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-3210 is a critical remote code execution vulnerability in BloodHound versions up to 4.0.1. Attackers can execute arbitrary system commands by tricking victims into importing malicious data files containing JavaScript payloads in the objectId parameter. This affects all BloodHound users who import data from untrusted sources.

💻 Affected Systems

Products:
  • BloodHound
Versions: <= 4.0.1
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installation when importing data files. Requires user interaction to import malicious file.

📦 What is this software?

Bloodhound by Bloodhound Project

View all CVEs affecting Bloodhound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's machine, potentially leading to lateral movement across networks and data exfiltration.

🟠

Likely Case

Attackers execute commands to establish persistence, steal credentials, or deploy ransomware on individual compromised systems.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection blocking malicious payloads.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to get victim to import malicious file. Proof of concept available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.2 and later

Vendor Advisory: https://github.com/BloodHoundAD/BloodHound/releases/tag/4.0.2

Restart Required: No

Instructions:

1. Download BloodHound version 4.0.2 or later from official GitHub releases. 2. Replace existing installation with updated version. 3. Verify fix by checking version number.

🔧 Temporary Workarounds

Disable file imports

all

Prevent importing of data files to block attack vector

Sandbox execution

linux

Run BloodHound in isolated environment or container

docker run -it --rm bloodhoundad/bloodhound:latest

🧯 If You Can't Patch

  • Only import data files from trusted, verified sources
  • Run BloodHound on isolated systems with no network connectivity to production environments

🔍 How to Verify

Check if Vulnerable:

Check BloodHound version - if version is 4.0.1 or earlier, system is vulnerable.

Check Version:

Check application version in BloodHound UI or installation directory

Verify Fix Applied:

Verify BloodHound version is 4.0.2 or later after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from BloodHound executable
  • Suspicious command execution patterns

Network Indicators:

  • Unexpected outbound connections from BloodHound host

SIEM Query:

Process Creation where Image contains 'bloodhound' AND CommandLine contains suspicious patterns

📊 Metadata

CVE ID: CVE-2021-3210
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: February 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3210, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)