Add CVE-2021-29456 for GHSA-36f2-fcrx-fp4j

2025-07-30 18:04:30 +00:00 · 2021-04-21 14:45:57 -04:00 · 2021-04-21 14:45:57 -04:00 · 9e2f950b67
commit 9e2f950b67
parent da5a7b205c
1 changed files with 71 additions and 6 deletions
--- a/2021/29xxx/CVE-2021-29456.json
+++ b/2021/29xxx/CVE-2021-29456.json
@ -1,18 +1,83 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29456",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Authelia allows open redirects on the logout endpoint"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "authelia",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "<= 4.27.4"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "authelia"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 5.7,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "LOW",
+            "scope": "UNCHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4j",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4j"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-36f2-fcrx-fp4j",
+        "discovery": "UNKNOWN"
    }
 }