CVE-2021-29452

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9	Third Party Advisory
https://www.npmjs.com/package/%40curveball/a12n-server

Configurations

Configuration 1 (hide)

cpe:2.3:a:curveballjs:a12n-server:*:*:*:*:*:node.js:*:*

History

07 Nov 2023, 03:32

Type	Values Removed	Values Added
References	~~{'url': 'https://www.npmjs.com/package/@curveball/a12n-server', 'name': 'https://www.npmjs.com/package/@curveball/a12n-server', 'tags': ['Product', 'Third Party Advisory'], 'refsource': 'MISC'}~~	() https://www.npmjs.com/package/%40curveball/a12n-server -

Information

Published : 2021-04-16 22:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-29452

Mitre link : CVE-2021-29452

CVE.ORG link : CVE-2021-29452

JSON object : View

Products Affected

curveballjs

a12n-server

CWE

CWE-863

Incorrect Authorization

CWE-269

Improper Privilege Management

{"id": "CVE-2021-29452", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2021-04-16T22:15:14.310", "references": [{"url": "https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40curveball/a12n-server", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2."}, {"lang": "es", "value": "a12n-server es un paquete npm que presenta como objetivo proporcionar un sistema de autenticaci\u00f3n simple. Se agreg\u00f3 un nuevo HAL-Form para permitir la edici\u00f3n de usuarios en versi\u00f3n 0.18.0. Esta funci\u00f3n solo deber\u00eda haber sido accesible para administradores. Lamentablemente, unos privilegios fueron comprobados incorrectamente, permitiendo a cualquier usuario que haya iniciado sesi\u00f3n realizar este cambio. Parcheado en la versi\u00f3n v0.18.2"}], "lastModified": "2023-11-07T03:32:36.477", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:curveballjs:a12n-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7D971DD6-E98D-46FA-A919-D533FCF824CC", "versionEndExcluding": "0.18.2", "versionStartIncluding": "0.18.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}