Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNmo0LThyN3Atd3BwM80WNw
BuddyPress privilege escalation via REST API
Impact
It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.
Patches
The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
References
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
For more information
If you have any questions or comments about this advisory:
- Open an issue in HackerOne
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNmo0LThyN3Atd3BwM80WNw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-m6j4-8r7p-wpp3, CVE-2021-21389
References:
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
- https://nvd.nist.gov/vuln/detail/CVE-2021-21389
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
- https://codex.buddypress.org/releases/version-7-2-1/
- https://github.com/advisories/GHSA-m6j4-8r7p-wpp3
Blast Radius: 6.8
Affected Packages
packagist:buddypress/buddypress
Dependent packages: 2Dependent repositories: 7
Downloads: 1,933 total
Affected Version Ranges: >= 5.0.0, < 7.2.1
Fixed in: 7.2.1
All affected versions: 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.4.2, 6.4.3, 7.0.0, 7.1.0, 7.2.0
All unaffected versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 7.2.1, 7.3.0, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 9.0.0, 9.1.1, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 11.0.0, 11.1.0, 11.2.0, 11.3.1, 11.3.2, 11.4.0, 11.4.1, 11.4.2, 12.0.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.4.1, 12.5.0, 12.5.1, 14.0.0, 14.1.0