Add CVE-2021-39215 for GHSA-45ff-37jm-xjfx

2025-05-06 18:53:08 +00:00 · 2021-09-15 17:18:51 +00:00 · 2021-09-15 17:18:51 +00:00 · ad2a08449d
commit ad2a08449d
parent 467d7b69c8
1 changed files with 76 additions and 6 deletions
--- a/2021/39xxx/CVE-2021-39215.json
+++ b/2021/39xxx/CVE-2021-39215.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-39215",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Authentication Bypass: Forged Tokens Allow Access to Arbitrary Rooms"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "jitsi-meet",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 2.0.5963"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "jitsi"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Jitsi Meet is an open source video conferencing application. In versions prior to 2.0.5963, a Prosody module allows the use of symmetrical algorithms to validate JSON web tokens. This means that tokens generated by arbitrary sources can be used to gain authorization to protected rooms. This issue is fixed in Jitsi Meet 2.0.5963. There are no known workarounds aside from updating."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 7.5,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-287: Improper Authentication"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-45ff-37jm-xjfx",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-45ff-37jm-xjfx"
+            },
+            {
+                "name": "https://github.com/jitsi/jitsi-meet/pull/9319",
+                "refsource": "MISC",
+                "url": "https://github.com/jitsi/jitsi-meet/pull/9319"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-45ff-37jm-xjfx",
+        "discovery": "UNKNOWN"
    }
 }