CVE-2021-39192

Опубликовано: 03 сент. 2021

Источник: nvd

CVSS3: 6.5

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.

Ссылки

https://github.com/TryGhost/Ghost/releases/tag/v4.10.0
Release Notes
Third Party Advisory
https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c
Third Party Advisory
https://github.com/TryGhost/Ghost/releases/tag/v4.10.0
Release Notes
Third Party Advisory
https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Версия от 4.0.0 (включая) до 4.10.0 (исключая)

EPSS

Процентиль: 67%

0.00531

Низкий

6.5 Medium

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-200

CWE-269

Связанные уязвимости

CVE-2021-39192

CVSS3: 6.5

debian

больше 4 лет назад

Ghost is a Node.js content management system. An error in the implemen ...

GHSA-j5c2-hm46-wp5c

CVSS3: 6.5

github

больше 4 лет назад

Privilege escalation: all users can access Admin-level API keys

EPSS

Процентиль: 67%

0.00531

Низкий

6.5 Medium

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-200

CWE-269