9.8

CVE-2021-43786

Exploit

API token verification can be bypassed

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodebbNodebb Version >= 1.15.0 <= 1.18.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.29% 0.81
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
security-advisories@github.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/
Third Party Advisory
Exploit
https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500
Patch
Third Party Advisory
https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Third Party Advisory
Release Notes
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw
Third Party Advisory