CVE-2021-37933

{"id": "CVE-2021-37933", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-10-14T16:15:09.123", "references": [{"url": "https://gist.github.com/andrey-lomtev/cbf12bc8d8763996cf8d6d1641a0b049", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/andrey-lomtev/cbf12bc8d8763996cf8d6d1641a0b049", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n LDAP en /account/login en Huntflow Enterprise versiones anteriores a 3.10.6, podr\u00eda permitir a un usuario remoto no autenticado modificar la l\u00f3gica de una consulta LDAP y omitir la autenticaci\u00f3n. La vulnerabilidad es debido a una comprobaci\u00f3n insuficiente en el lado del servidor del par\u00e1metro email antes de usarlo para construir consultas LDAP. Un atacante podr\u00eda omitir la autenticaci\u00f3n explotando esta vulnerabilidad mediante el env\u00edo de intentos de inicio de sesi\u00f3n en los que se presenta una contrase\u00f1a v\u00e1lida pero un car\u00e1cter comod\u00edn en el par\u00e1metro email"}], "lastModified": "2024-11-21T06:16:05.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huntflow:huntflow_enterprise:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BAFA4A0-B791-413F-A603-E7F9E2F59F0E", "versionEndExcluding": "3.10.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}