9

CVE-2021-31590

Exploit

EPSS 1.49%
Veröffentlicht 19.07.2021 20:15:08
Zuletzt bearbeitet 21.11.2024 06:05:57
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pwndoc Project ≫ Pwndoc Version < 0.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.49%	0.805

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23

Patch

Third Party Advisory

Release Notes

https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d

Patch

Third Party Advisory

https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab

Patch

Third Party Advisory

https://github.com/pwndoc/pwndoc/pull/128

Patch

Third Party Advisory

https://github.com/pwndoc/pwndoc/pull/74

Patch

Third Party Advisory

https://github.com/pwndoc/pwndoc/security/advisories

Broken Link

https://www.dgc.org/responsible_disclosure_pwndoc_jwt

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-31590

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-31590

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-31590

EUVD