Vulnerability CVE-2021-28122


Published: 2021-03-10

Description:
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.0. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.

Type:

CWE-287

(Improper Authentication)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Open5gs -> Open5gs 

 References:
https://github.com/open5gs/open5gs/issues/837
https://github.com/open5gs/open5gs/pull/838
https://github.com/open5gs/open5gs/releases

Copyright 2024, cxsecurity.com

 

Back to Top