CVE-2021-28122

Опубликовано: 10 мар. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.

Ссылки

https://github.com/open5gs/open5gs/compare/v2.2.0...v2.2.1
Patch
Third Party Advisory
https://github.com/open5gs/open5gs/issues/837
Exploit
Third Party Advisory
https://github.com/open5gs/open5gs/pull/838
Patch
Third Party Advisory
https://github.com/open5gs/open5gs/releases
Release Notes
Third Party Advisory
https://github.com/open5gs/open5gs/compare/v2.2.0...v2.2.1
Patch
Third Party Advisory
https://github.com/open5gs/open5gs/issues/837
Exploit
Third Party Advisory
https://github.com/open5gs/open5gs/pull/838
Patch
Third Party Advisory
https://github.com/open5gs/open5gs/releases
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

Версия от 2.1.3 (включая) до 2.2.0 (включая)

EPSS

Процентиль: 78%

0.01097

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-306

Связанные уязвимости

CVE-2021-28122

CVSS3: 9.8

debian

почти 5 лет назад

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2 ...

GHSA-66wx-wcfh-hv4g

CVSS3: 9.8

github

больше 3 лет назад

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.0. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.

EPSS

Процентиль: 78%

0.01097

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-306