CVE-2021-36804

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.

CVSS v3 8.1 HIGH
CVSS v2.0 5.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/laravel/laravel/pull/5477	Issue Tracking Patch Third Party Advisory
https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html	Third Party Advisory
https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:akaunting:akaunting:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-08-04 23:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-36804

Mitre link : CVE-2021-36804

CVE.ORG link : CVE-2021-36804

JSON object : View

Products Affected

akaunting

akaunting

CWE

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

{"id": "CVE-2021-36804", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2021-08-04T23:15:08.243", "references": [{"url": "https://github.com/laravel/laravel/pull/5477", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@rapid7.com"}, {"url": "https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html", "tags": ["Third Party Advisory"], "source": "cve@rapid7.com"}, {"url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@rapid7.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-640"}]}, {"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications."}, {"lang": "es", "value": "Akaunting versiones 2.1.12 y anteriores, sufren de una vulnerabilidad de suplantaci\u00f3n de restablecimiento de contrase\u00f1a, donde un atacante puede delegar peticiones de restablecimiento de contrase\u00f1a mediante una instancia de Akaunting en ejecuci\u00f3n, si ese atacante conoce la direcci\u00f3n de correo electr\u00f3nico del objetivo. Este problema se ha corregido en la versi\u00f3n 2.1.13 del producto. Tenga en cuenta que este problema es causado en \u00faltima instancia por los valores predeterminados proporcionados por el marco de Laravel, espec\u00edficamente c\u00f3mo se manejan los encabezados de proxy con respecto a las implementaciones multi-tenant. En otras palabras, mientras que esto no es t\u00e9cnicamente una vulnerabilidad en Laravel, esta configuraci\u00f3n predeterminada es muy probable que conlleve a vulnerabilidades pr\u00e1cticamente id\u00e9nticas en proyectos de Laravel que implementen aplicaciones multi-tenant"}], "lastModified": "2021-08-13T13:30:32.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:akaunting:akaunting:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C0E3BA7-1D63-44C7-B536-A68FB76A3126", "versionEndExcluding": "2.1.13"}], "operator": "OR"}]}], "sourceIdentifier": "cve@rapid7.com"}