CVE-2021-40875

nvd nist nuclei

Published: Sep 22, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

Affected (1)

Products: Gurock: Testrail

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gurock Testrail	Before 7.2.0.3014

Related CWEs

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References (8)

http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/SakuraSamuraii/derailed

Source: cve@mitre.org

Third Party Advisory

https://johnjhacking.com/blog/cve-2021-40875/

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.gurock.com/testrail/tour/enterprise-edition

Source: cve@mitre.org

ProductVendor Advisory

http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://github.com/SakuraSamuraii/derailed

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://johnjhacking.com/blog/cve-2021-40875/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.gurock.com/testrail/tour/enterprise-edition

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.