CVE-2021-27852 Checkbox CVE debrief

Who should care

Organizations that use Checkbox Survey, especially any environments still running version 6 or earlier. CISA states versions 6 and earlier are end-of-life and must be removed from agency networks; versions 7 and later are not considered vulnerable.

Technical summary

The issue is described as deserialization of untrusted data in Checkbox Survey. The supplied sources do not provide a CVSS score or deeper technical specifics, so the safest defensive interpretation is to treat affected deployments as exposed until confirmed otherwise and follow CISA's version guidance.

Defensive priority

Urgent. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, and the supplied timeline includes a remediation due date of 2022-05-02. Remove version 6 and earlier from service and verify whether any remaining installs are version 7 or later.

Recommended defensive actions

• Inventory all Checkbox Survey deployments and identify the installed version.
• Remove all versions 6 and earlier from agency or enterprise networks as directed by CISA.
• Confirm that any remaining installations are version 7 or later, since CISA states those are not considered vulnerable.
• Prioritize remediation immediately because the vulnerability is KEV-listed and treated as actively exploited by CISA.

Evidence notes

The supplied CISA KEV metadata identifies the vendor as Checkbox, the product as Checkbox Survey, the vulnerability name as "Deserialization of Untrusted Data Vulnerability," dateAdded as 2022-04-11, and dueDate as 2022-05-02. CISA's requiredAction states: "Versions 6 and earlier for this product are end-of-life and must be removed from agency networks. Versions 7 and later are not considered vulnerable." The provided corpus does not include a CVSS score.

Official resources