CVE-2021-43175

Exploit

EPSS 0.36%
Veröffentlicht 07.12.2021 18:15:06
Zuletzt bearbeitet 21.11.2024 06:28:46
Quelle disclosure@synopsys.com
CVE-Watchlists
Login
Unerledigt
Login

The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Goautodial ≫ Goautodial Version4

Goautodial ≫ Goautodial Api Version2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.575

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-43175

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-43175

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-43175

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-43175