CVE-2021-41191

Опубликовано: 27 окт. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add @require_apikey in BOT/lib/cogs/website.py under the route for /v1/products.

Ссылки

https://github.com/Redon-Tech/Roblox-Purchasing-Hub/commit/58a22260eca40b1a0377daf61ccd8c4dc1440e03
Patch
Third Party Advisory
https://github.com/Redon-Tech/Roblox-Purchasing-Hub/releases/tag/V1.0.2
Release Notes
Third Party Advisory
https://github.com/Redon-Tech/Roblox-Purchasing-Hub/security/advisories/GHSA-76mx-6584-4v8q
Third Party Advisory
https://github.com/Redon-Tech/Roblox-Purchasing-Hub/commit/58a22260eca40b1a0377daf61ccd8c4dc1440e03
Patch
Third Party Advisory
https://github.com/Redon-Tech/Roblox-Purchasing-Hub/releases/tag/V1.0.2
Release Notes
Third Party Advisory
https://github.com/Redon-Tech/Roblox-Purchasing-Hub/security/advisories/GHSA-76mx-6584-4v8q
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:redon:roblox_purchasing_hub:*:*:*:*:*:*:*:*

Версия до 1.0.2 (исключая)

EPSS

Процентиль: 63%

0.00453

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-116