Описание
API token verification can be bypassed in NodeBB
Impact
Incorrect logic present in the token verification step unintentionally allowed master token access to the API.
Patches
The vulnerability has been patch as of v1.18.5.
Workarounds
Cherry-pick commit hash 04dab1d550cdebf4c1567bca9a51f8b9ca48a500 to receive this patch in lieu of a full upgrade.
For more information
If you have any questions or comments about this advisory:
- Email us at security@nodebb.org
Ссылки
- https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqw
- https://nvd.nist.gov/vuln/detail/CVE-2021-43786
- https://github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500
- https://blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot
- https://github.com/NodeBB/NodeBB/releases/tag/v1.18.5
Пакеты
Наименование
nodebb
npm
Затронутые версииВерсия исправления
>= 1.15.0, < 1.18.5
1.18.5
Связанные уязвимости
CVSS3: 9.8
nvd
около 4 лет назад
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.