nvd-json-data-feeds/CVE-2021/CVE-2021-423xx/CVE-2021-42342.json

{
  "id": "CVE-2021-42342",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2021-10-14T06:15:07.037",
  "lastModified": "2021-10-20T17:35:15.837",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts."
    },
    {
      "lang": "es",
      "value": "Se ha detectado un problema en GoAhead versiones 4.x y 5.x anteriores a 5.1.5. En el filtro de carga de archivos, las variables de formulario del usuario pueden pasarse a scripts CGI sin que se les anteponga el prefijo CGI. Esto permite tunelizar variables de entorno no confiables en scripts CGI vulnerables"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "4.0.0",
              "versionEndIncluding": "4.1.3",
              "matchCriteriaId": "3D614097-1270-46F0-939B-6F2D5757FF50"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.0.0",
              "versionEndExcluding": "5.1.5",
              "matchCriteriaId": "4A881D37-6C28-42A3-AD4C-F4911820911B"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/embedthis/goahead/issues/305",
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}