Strix
26.1K

CVE-2021-32624

MEDIUMCVSS 5.3/10EPSS 0.86%

Last modified

CVE-2021-32624 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. EPSS estimates a 0.86% chance of exploitation in the next 30 days.

Description

Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control related oracle attack in that the attack method guides an attacker during their attempt to reveal information they do not have access to. The complexity of completing the attack is limited by some length-dependent behaviors and the fidelity of the exposed information. Under some circumstances, field values or field value meta data can be determined, despite the field or list having `read` access control configured. If you use private fields or lists, you may be impacted. No patches exist at this time. There are no workarounds at this time

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.86%

54.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
KeystonejsKeystone-5<= 19.3.2

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-32624?
Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control related oracle attack in that the attack method guides an attacker during their attempt to reveal information they do not have access to. The complexity of completing the attack is limited by some length-dependent behaviors and the fidelity of the exposed information. Under some circumstances, field values or field value meta data can be determined, despite the field or list having `read` access control configured. If you use private fields or lists, you may be impacted. No patches exist at this time. There are no workarounds at this time
How severe is CVE-2021-32624?
CVE-2021-32624 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.86% probability of exploitation in the next 30 days.
How do I fix CVE-2021-32624?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-32624?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST