CVE-2021-29439

EPSS 0.72%
Veröffentlicht 13.04.2021 20:15:22
Zuletzt bearbeitet 21.11.2024 06:01:06
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Getgrav ≫ Grav Admin Version < 1.10.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.719

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1

https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-29439

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-29439

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-29439

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-29439