nvd-json-data-feeds/CVE-2021/CVE-2021-383xx/CVE-2021-38384.json

{
  "id": "CVE-2021-38384",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2021-08-10T18:15:07.513",
  "lastModified": "2022-07-12T17:42:04.277",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions)."
    },
    {
      "lang": "es",
      "value": "Serverless Offline versi\u00f3n 8.0.0, devuelve un c\u00f3digo de estado HTTP 403 para una ruta que presenta un car\u00e1cter / al final, lo que podr\u00eda causar a un desarrollador implementar un control de acceso incorrecto, porque el comportamiento real dentro del entorno de Amazon AWS es un c\u00f3digo de estado HTTP 200 (es decir, posiblemente mayores permisos de los esperados)"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:serverless_offline_project:serverless_offline:8.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "14209048-68A5-4D34-ACD2-6854E84A5208"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/dherault/serverless-offline/issues/1259",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}