CVE-2021-43437

{"id": "CVE-2021-43437", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-12-20T20:15:07.660", "references": [{"url": "https://medium.com/%40mayhem7999/cve-2021-43437-5c5e3b977e84", "source": "cve@mitre.org"}, {"url": "https://portswigger.net/web-security/host-header", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://medium.com/%40mayhem7999/cve-2021-43437-5c5e3b977e84", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://portswigger.net/web-security/host-header", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "In sourcecodetester Engineers Online Portal as of 10-21-21, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifies which website should process the HTTP request. The web server uses the value of this header to dispatch the request to the specified website. Each website hosted on the same IP address is called a virtual host. And It's possible to send requests with arbitrary Host Headers to the first virtual host."}, {"lang": "es", "value": "En el portal online de sourcecodetester Engineers a partir del 21-10-21, un atacante puede manipular el encabezado Host visualizada por la aplicaci\u00f3n web y causar que la aplicaci\u00f3n se comporte de forma inesperada. Muy a menudo varios sitios web est\u00e1n alojados en la misma direcci\u00f3n IP. Aqu\u00ed es donde entra en juego el encabezado Host. Este encabezado especifica qu\u00e9 sitio web debe procesar la petici\u00f3n HTTP. El servidor web usa el valor de este encabezado para enviar la petici\u00f3n al sitio web especifico. Cada sitio web alojado en la misma direcci\u00f3n IP es denominado host virtual. Y es posible enviar peticiones con encabezados de host arbitrarias al primer host virtual"}], "lastModified": "2024-11-21T06:29:13.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:engineers_online_portal_project:engineers_online_portal:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE2C0236-1BC6-45DD-B5A5-1FE81BD75296"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}