CVE-2021-21269

Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more files than allowed. This is fixed in version 0.2.0.

CVSS v3 7.7 HIGH
CVSS v2.0 4.0 MEDIUM

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/keymaker-mx/keymaker/commit/63f3012b390ff1519a84100df9e5dff5058bb926	Patch Third Party Advisory
https://github.com/keymaker-mx/keymaker/security/advisories/GHSA-pg25-xfcf-vjvm	Third Party Advisory
https://github.com/keymaker-mx/keymaker/commit/63f3012b390ff1519a84100df9e5dff5058bb926	Patch Third Party Advisory
https://github.com/keymaker-mx/keymaker/security/advisories/GHSA-pg25-xfcf-vjvm	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:keymaker_project:keymaker:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:47

Type	Values Removed	Values Added
CVSS	v2 : ~~4.0~~ v3 : ~~6.5~~	v2 : 4.0 v3 : 7.7
References	~~() https://github.com/keymaker-mx/keymaker/commit/63f3012b390ff1519a84100df9e5dff5058bb926 - Patch, Third Party Advisory~~	() https://github.com/keymaker-mx/keymaker/commit/63f3012b390ff1519a84100df9e5dff5058bb926 - Patch, Third Party Advisory
References	~~() https://github.com/keymaker-mx/keymaker/security/advisories/GHSA-pg25-xfcf-vjvm - Third Party Advisory~~	() https://github.com/keymaker-mx/keymaker/security/advisories/GHSA-pg25-xfcf-vjvm - Third Party Advisory

Information

Published : 2021-01-20 18:15

Updated : 2024-11-21 05:47

NVD link : CVE-2021-21269

Mitre link : CVE-2021-21269

CVE.ORG link : CVE-2021-21269

JSON object : View

Products Affected

keymaker_project

keymaker

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-21269", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-01-20T18:15:12.627", "references": [{"url": "https://github.com/keymaker-mx/keymaker/commit/63f3012b390ff1519a84100df9e5dff5058bb926", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/keymaker-mx/keymaker/security/advisories/GHSA-pg25-xfcf-vjvm", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/keymaker-mx/keymaker/commit/63f3012b390ff1519a84100df9e5dff5058bb926", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/keymaker-mx/keymaker/security/advisories/GHSA-pg25-xfcf-vjvm", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more files than allowed. This is fixed in version 0.2.0."}, {"lang": "es", "value": "Keymaker es un servidor de p\u00e1ginas de lista de servidores Matrix Community basado en Mastodon Community Finder. En Keymaker anterior a versi\u00f3n 0.2.0, el endpoint de activos no comprobaba la extensi\u00f3n. El m\u00e9todo de rust \"join\" sin verificar la entrada del usuario podr\u00eda haber hecho que sea posible realizar un ataque de Salto de Ruta causando la lectura de m\u00e1s archivos de los permitidos. Esto es corregido en la versi\u00f3n 0.2.0"}], "lastModified": "2024-11-21T05:47:53.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:keymaker_project:keymaker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB094811-E3DB-42F0-B93C-9A852D9B92AC", "versionEndExcluding": "0.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}