9.8

CVE-2021-27228

EPSS 0.42%
Veröffentlicht 22.02.2021 17:15:12
Zuletzt bearbeitet 21.11.2024 05:57:38
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Shinobi ≫ Shinobi Pro Version <= 1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.615

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://gitlab.com/Shinobi-Systems/Shinobi/-/merge_requests/286

Patch

Third Party Advisory

https://gitlab.com/Shinobi-Systems/Shinobi/-/tags

Patch

Third Party Advisory

https://shinobi.video/

Product

https://nvd.nist.gov/vuln/detail/CVE-2021-27228

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-27228

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-27228

EUVD