nvd-json-data-feeds/CVE-2021/CVE-2021-412xx/CVE-2021-41238.json

{
  "id": "CVE-2021-41238",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-11-02T18:15:08.777",
  "lastModified": "2021-11-04T17:29:57.933",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, `LocalRequestsOnlyAuthorizationFilter` filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings. However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed. If you are using `UseHangfireDashboard` method with default `DashboardOptions.Authorization` property value, then your installation is impacted. If any other authorization filter is specified in the `DashboardOptions.Authorization` property, the you are not impacted. Patched versions (1.7.26) are available both on Nuget.org and as a tagged release on the github repo. Default authorization rules now prohibit remote requests by default again by including the `LocalRequestsOnlyAuthorizationFilter` filter to the default settings. Please upgrade to the newest version in order to mitigate the issue. For users who are unable to upgrade it is possible to mitigate the issue by using the `LocalRequestsOnlyAuthorizationFilter` explicitly when configuring the Dashboard UI."
    },
    {
      "lang": "es",
      "value": "Hangfire es un sistema de c\u00f3digo abierto para llevar a cabo el procesamiento de trabajos en segundo plano en aplicaciones .NET o .NET Core. No es requerido un servicio de Windows o un proceso separado. La Interfaz de Usuario de Hangfire.Core usa filtros de autorizaci\u00f3n para evitar que se muestren datos confidenciales a usuarios no autorizados. Por defecto, cuando no se especifican filtros de autorizaci\u00f3n personalizados, es usado el filtro \"LocalRequestsOnlyAuthorizationFilter\" para permitir s\u00f3lo las peticiones locales y prohibir todas las peticiones remotas para proporcionar datos confidenciales, protegidos por la configuraci\u00f3n predeterminada. Sin embargo, debido a los recientes cambios, en la versi\u00f3n 1.7.25, no son usados filtros de autorizaci\u00f3n por defecto, permitiendo que las peticiones remotas tengan \u00e9xito. Si est\u00e1 usando el m\u00e9todo \"UseHangfireDashboard\" con el valor de la propiedad \"DashboardOptions.Authorization\" por defecto, su instalaci\u00f3n es afectada. Si es especificado cualquier otro filtro de autorizaci\u00f3n en la propiedad \"DashboardOptions.Authorization\", no es afectado. Las versiones parcheadas (1.7.26) est\u00e1n disponibles tanto en Nuget.org como en una versi\u00f3n etiquetada en el repositorio de github. Las reglas de autorizaci\u00f3n por defecto vuelven a prohibir las peticiones remotas por defecto al incluir el filtro \"LocalRequestsOnlyAuthorizationFilter\" a la configuraci\u00f3n por defecto. Por favor, actualice a la versi\u00f3n m\u00e1s reciente para mitigar el problema. Para usuarios que no puedan actualizar, es posible mitigar el problema usando el filtro \"LocalRequestsOnlyAuthorizationFilter\" expl\u00edcitamente cuando se configura la Interfaz de Usuario del Panel"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "LOW",
          "baseScore": 8.6,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ]
    },
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:hangfire:hangfire:1.7.25:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0C79641-C046-4220-BC96-640A6D4D9E42"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/HangfireIO/Hangfire/issues/1958",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/HangfireIO/Hangfire/security/advisories/GHSA-7rq6-7gv8-c37h",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}