CVE-2021-36758
Last modified
CVE-2021-36758 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. 1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access tokens can create tokens that have access beyond what the user is authorized to access, but limited to the existing authorizations of the Secret Automation the token is created in.. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access tokens can create tokens that have access beyond what the user is authorized to access, but limited to the existing authorizations of the Secret Automation the token is created in.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| 1password | Connect | < 1.2 |
References
- https://support.1password.com/kb/202106/Patch, Vendor Advisory
- https://support.1password.com/kb/202106/Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-36758?
How severe is CVE-2021-36758?
How do I fix CVE-2021-36758?
Are you affected by CVE-2021-36758?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST