CVE-2021-22565

Published: Dec 9, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.

Affected (1)

Products: Google: Exposure Notification Verification Server

1 product

Exposure Notification Verification Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Exposure Notification Verification Server	Before 1.1.2

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2

Source: cve-coordination@google.com

PatchRelease NotesThird Party Advisory

https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v

Source: cve-coordination@google.com

Third Party Advisory

https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesThird Party Advisory

https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.