Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThodzktMjJ2Ni05anI5
Any logged in user could edit any other logged in user.
Impact
Everyone who is running a12n-server.
A new HAL-Form was added to allow editing users. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
Patches
Patched in v0.18.2
Permalink: https://github.com/advisories/GHSA-8hw9-22v6-9jr9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThodzktMjJ2Ni05anI5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-8hw9-22v6-9jr9, CVE-2021-29452
References:
- https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9
- https://www.npmjs.com/package/@curveball/a12n-server
- https://nvd.nist.gov/vuln/detail/CVE-2021-29452
- https://github.com/advisories/GHSA-8hw9-22v6-9jr9
Blast Radius: 1.0
Affected Packages
npm:@curveball/a12n-server
Dependent packages: 1Dependent repositories: 0
Downloads: 22 last month
Affected Version Ranges: >= 0.18.0, < 0.18.2
Fixed in: 0.18.2
All affected versions: 0.18.0, 0.18.1
All unaffected versions: 0.15.3, 0.15.4, 0.15.5, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.18.2, 0.18.3, 0.19.0, 0.19.1, 0.19.2, 0.19.4, 0.19.6, 0.19.7, 0.19.8, 0.19.9, 0.19.10, 0.19.11, 0.19.12, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.22.0, 0.23.0, 0.23.1, 0.24.0, 0.25.0, 0.25.1, 0.25.4