7.5

CVE-2021-40875

Exploit

EPSS 81.11%
Veröffentlicht 22.09.2021 15:15:09
Zuletzt bearbeitet 21.11.2024 06:24:59
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gurock ≫ Testrail Version < 7.2.0.3014

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	81.11%	0.991

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html

Third Party Advisory

Exploit

VDB Entry

https://github.com/SakuraSamuraii/derailed

Third Party Advisory

https://johnjhacking.com/blog/cve-2021-40875/

Third Party Advisory

Exploit

https://www.gurock.com/testrail/tour/enterprise-edition

Vendor Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2021-40875

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-40875

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-40875

EUVD