CVE-2021-21297

{"id": "CVE-2021-21297", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-02-26T17:15:12.210", "references": [{"url": "https://github.com/node-red/node-red/releases/tag/1.2.8", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40node-red/editor-api", "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40node-red/runtime", "source": "security-advisories@github.com"}, {"url": "https://github.com/node-red/node-red/releases/tag/1.2.8", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/%40node-red/editor-api", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/%40node-red/runtime", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-915"}, {"lang": "en", "value": "CWE-1321"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."}, {"lang": "es", "value": "Node-Red es una programaci\u00f3n de low-code para aplicaciones basadas en eventos dise\u00f1adas usando nodejs. Node-RED versiones 1.2.7 y anteriores contienen, una vulnerabilidad de Contaminaci\u00f3n de Prototipos en la API de administraci\u00f3n. Una petici\u00f3n mal formada puede modificar el prototipo del Objeto JavaScript predeterminado con el potencial de afectar el comportamiento predeterminado del tiempo de ejecuci\u00f3n de Node-RED. La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 1.2.8. Una soluci\u00f3n alternativa es asegurarse de que solo los usuarios autorizados puedan ser capaces de acceder a la URL de editor"}], "lastModified": "2024-11-21T05:47:58.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FD380E45-4954-4427-90D5-66896B983B30", "versionEndExcluding": "1.2.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}