Vulnerability CVE-2021-29452


Published: 2021-04-16   Modified: 2021-04-17

Description:
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Type:

CWE-269

(Improper Privilege Management)

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Curveballjs -> A12n-server 

 References:
https://www.npmjs.com/package/@curveball/a12n-server
https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

Copyright 2022, cxsecurity.com

 

Back to Top