CVE-2021-36383

{"id": "CVE-2021-36383", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-07-12T14:15:11.770", "references": [{"url": "https://github.com/vatesfr/xen-orchestra/issues/5712", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/vatesfr/xen-orchestra/issues/5712", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups."}, {"lang": "es", "value": "Xen Orchestra (con xo-web versiones hasta 5.80.0 y xo-server versiones hasta 5.84.0) maneja inapropiadamente la autorizaci\u00f3n, como es demostrado por los datos modificados de WebSocket resourceSet.getAll en los que el atacante cambia el campo permission de none a admin. El atacante obtiene acceso a conjuntos de datos como VMs, Copias de Seguridad, Auditor\u00eda, Usuarios y Grupos"}], "lastModified": "2024-11-21T06:13:39.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xen-orchestra:xo-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D28E9332-7ACF-4554-81C0-ECA4BDE1DB0F", "versionEndIncluding": "5.84.0"}, {"criteria": "cpe:2.3:a:xen-orchestra:xo-web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AFB1AD0-37E5-401A-8EE4-B61CD438C4C8", "versionEndIncluding": "5.80.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}