CVE-2021-29452
Published Apr 16, 2021
Last updated a year ago
Overview
- Description
- a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
- Source
- security-advisories@github.com
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4
- Impact score
- 2.9
- Exploitability score
- 8
- Vector string
- AV:N/AC:L/Au:S/C:N/I:P/A:N
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:curveballjs:a12n-server:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "7D971DD6-E98D-46FA-A919-D533FCF824CC",
"versionEndExcluding": "0.18.2",
"versionStartIncluding": "0.18.0"
}
],
"operator": "OR"
}
]
}
]