admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 09:11:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2021/CVE-2021-327xx/CVE-2021-32753.json
René Helmke 7791f18b51 bootstrap
2023-05-16 16:09:41 +02:00

151 lines
6.4 KiB
JSON
Raw Blame History

{
"id": "CVE-2021-32753",
"sourceIdentifier": "security-advisories@github.com",
"published": "2021-07-09T19:15:08.373",
"lastModified": "2021-07-14T11:58:23.297",
"vulnStatus": "Analyzed",
"descriptions": [
{
"lang": "en",
"value": "EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is created, the client_id and client_secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can then perform a dictionary-based password attack on the OAuth2 token endpoint of the API gateway to obtain an OAuth2 authentication token and use that token to make authenticated calls to EdgeX microservices from an untrusted network. OAuth2 is the default authentication method in EdgeX Edinburgh release. The default authentication method was changed to JWT in Fuji and later releases. Users should upgrade to the EdgeX Ireland release to obtain the fix. The OAuth2 authentication method is disabled in Ireland release. If unable to upgrade and OAuth2 authentication is required, users should create OAuth2 users directly using the Kong admin API and forgo the use of the `security-proxy-setup` tool to create OAuth2 users."
},
{
"lang": "es",
"value": "EdgeX Foundry es un proyecto de c\u00f3digo abierto para construir un framework abierto com\u00fan para la computaci\u00f3n de borde de la Internet de las cosas. Se presenta una vulnerabilidad en las versiones Edimburgo, Fuji, Ginebra y Hanoi del software. Cuando la puerta de enlace de la API EdgeX est\u00e1 configurada para la autenticaci\u00f3n OAuth2 y es creado un usuario proxy, el client_id y el client_secret requeridos para obtener un token de autenticaci\u00f3n OAuth2 se ajustan con el nombre de usuario del usuario proxy. Un atacante remoto de la red puede entonces llevar a cabo un ataque de contrase\u00f1a basado en diccionario en el endpoint del token OAuth2 de la puerta de enlace de la API para obtener un token de autenticaci\u00f3n OAuth2 y usar ese token para hacer llamadas autenticadas a los microservicios de EdgeX desde una red no confiable. OAuth2 es el m\u00e9todo de autenticaci\u00f3n predeterminado en la versi\u00f3n de EdgeX Edinburgh. El m\u00e9todo de autenticaci\u00f3n predeterminado fue cambiado a JWT en Fuji y versiones posteriores. Los usuarios deben actualizar a versi\u00f3n de EdgeX Ireland para obtener la correcci\u00f3n. El m\u00e9todo de autenticaci\u00f3n OAuth2 est\u00e1 deshabilitado en la versi\u00f3n Ireland. Si no se puede actualizar y es requerida la autenticaci\u00f3n OAuth2, los usuarios deben crear usuarios OAuth2 directamente usando la API de Kong admin y renunciar al uso de la herramienta \"security-proxy-setup\" para crear usuarios OAuth2"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5
},
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 3.7
}
],
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "MEDIUM",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 5.8
},
"baseSeverity": "MEDIUM",
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-521"
}
]
},
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-521"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:edgexfoundry:edgex_foundry:*:*:*:*:*:*:*:*",
"versionStartIncluding": "1.0.0",
"versionEndExcluding": "2.0.0",
"matchCriteriaId": "75F38141-9394-4C6F-9958-755DF1FE496A"
}
]
}
]
}
],
"references": [
{
"url": "https://docs.konghq.com/hub/kong-inc/oauth2/#create-a-consumer",
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-xph4-vmcc-52gh",
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink