CVE-2021-27228
Last modified
CVE-2021-27228 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. EPSS estimates a 1.60% chance of exploitation in the next 30 days.
Description
An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Shinobi | Shinobi Pro | <= 1.0 |
References
- https://gitlab.com/Shinobi-Systems/Shinobi/-/merge_requests/286Patch, Third Party Advisory
- https://gitlab.com/Shinobi-Systems/Shinobi/-/tagsPatch, Third Party Advisory
- https://shinobi.video/Product
- https://gitlab.com/Shinobi-Systems/Shinobi/-/merge_requests/286Patch, Third Party Advisory
- https://gitlab.com/Shinobi-Systems/Shinobi/-/tagsPatch, Third Party Advisory
- https://shinobi.video/Product
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-27228?
How severe is CVE-2021-27228?
How do I fix CVE-2021-27228?
Are you affected by CVE-2021-27228?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST