Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ncnZtLWdjcWYtZ2g4cc4AApGy
Xen Orchestra Mishandles Authorization
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll
data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncnZtLWdjcWYtZ2g4cc4AApGy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-grvm-gcqf-gh8q, CVE-2021-36383
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36383
- https://github.com/vatesfr/xen-orchestra/issues/5712
- https://github.com/advisories/GHSA-grvm-gcqf-gh8q
Blast Radius: 0.0
Affected Packages
npm:xo-server
Dependent packages: 0Dependent repositories: 1
Downloads: 54 last month
Affected Version Ranges: <= 5.84.0
No known fixed version
All affected versions: 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.2.0, 4.3.0, 4.3.2, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.2, 4.11.0, 4.12.0, 4.13.0, 4.14.2, 4.15.1, 4.16.0, 5.0.1, 5.2.4, 5.2.5, 5.2.6, 5.3.0, 5.4.0, 5.7.4
npm:xo-web
Dependent packages: 0Dependent repositories: 1
Downloads: 63 last month
Affected Version Ranges: <= 5.80.0
No known fixed version
All affected versions: 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.8.1, 3.9.0, 3.9.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.14.1, 5.0.2, 5.0.3, 5.2.2, 5.2.3, 5.3.0, 5.7.10