Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oZjJtLWo5OHItNGZxd80YdA
API token verification can be bypassed in NodeBB
Impact
Incorrect logic present in the token verification step unintentionally allowed master token access to the API.
Patches
The vulnerability has been patch as of v1.18.5.
Workarounds
Cherry-pick commit hash 04dab1d550cdebf4c1567bca9a51f8b9ca48a500 to receive this patch in lieu of a full upgrade.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZjJtLWo5OHItNGZxd80YdA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-hf2m-j98r-4fqw, CVE-2021-43786
References:
- https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw
- https://nvd.nist.gov/vuln/detail/CVE-2021-43786
- https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500
- https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
- https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
- https://github.com/advisories/GHSA-hf2m-j98r-4fqw
Blast Radius: 4.7
Affected Packages
npm:nodebb
Dependent packages: 1Dependent repositories: 3
Downloads: 140 last month
Affected Version Ranges: >= 1.15.0, < 1.18.5
Fixed in: 1.18.5
All affected versions:
All unaffected versions: 0.4.3, 0.6.1, 0.7.0, 0.8.2, 1.4.0