{ "id": "CVE-2021-39165", "sourceIdentifier": "security-advisories@github.com", "published": "2021-08-26T21:15:10.053", "lastModified": "2021-09-01T17:30:13.950", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected." }, { "lang": "es", "value": "Cachet es una p\u00e1gina de estado de c\u00f3digo abierto. Con Cachet versiones anteriores a 2.3.18 incluy\u00e9ndola, se presenta una inyecci\u00f3n SQL que se encuentra en la funci\u00f3n \"SearchableTrait#scopeSearch()\". Unos atacantes sin autenticaci\u00f3n pueden utilizar esta vulnerabilidad para exfiltrar datos confidenciales de la base de datos, como la contrase\u00f1a y la sesi\u00f3n del administrador. El repositorio original de Cachet (https://github.com/CachetHQ/Cachet) no est\u00e1 activo, la versi\u00f3n estable 2.3.18 y su rama 2.4 en desarrollo est\u00e1n afectadas." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.8, "impactScore": 3.6 }, { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.8, "impactScore": 5.2 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "security-advisories@github.com", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-287" }, { "lang": "en", "value": "CWE-89" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:chachethq:cachet:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.18", "matchCriteriaId": "B3A34C33-07F1-4AED-AB3E-236B6B5DF306" } ] } ] } ], "references": [ { "url": "https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6", "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ] }, { "url": "https://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc", "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ] } ] }