CVE-2021-29452

Published: Apr 16, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Affected (1)

Products: Curveballjs: A12n Server

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Curveballjs A12n Server	From 0.18.0 to 0.18.2

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

Source: security-advisories@github.com

Third Party Advisory

https://www.npmjs.com/package/%40curveball/a12n-server

Source: security-advisories@github.com

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.npmjs.com/package/%40curveball/a12n-server

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.