CVE-2022-34621

Published: Aug 19, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.

Affected (2)

Products: Mealie: Mealie

Mealie

1 product

Mealie

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mealie Mealie	Version 0.5.5
Mealie Mealie	Version 1.0.0 beta3

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (10)

https://cwe.mitre.org/data/definitions/639.html

Source: cve@mitre.org

Third Party Advisory

https://docs.mealie.io/changelog/v0.5.6/

Source: cve@mitre.org

Release NotesThird Party Advisory

https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/

Source: cve@mitre.org

Third Party Advisory

https://hub.docker.com/r/hkotel/mealie

Source: cve@mitre.org

ProductThird Party Advisory

https://portswigger.net/web-security/access-control/idor

Source: cve@mitre.org

Third Party Advisory

https://cwe.mitre.org/data/definitions/639.html