Lucene search

[email protected]CVE-2021-43447

HistoryJan 23, 2023 - 3:15 p.m.

CVE-2021-43447

2023-01-2315:15:13

CWE-306

[email protected]

web.nvd.nist.gov

onlyoffice

cve-2021-43447

incorrect access control

authentication bypass

document editor

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

35.9%

JSON

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication.

Affected configurations

NVD

Node

onlyofficeserverRange≤7.0.0.49

CPENameOperatorVersion
onlyoffice:serveronlyoffice serverle7.0.0.49

CPE	Name	Operator	Version
onlyoffice:server	onlyoffice server	le	7.0.0.49

References

github.com/ONLYOFFICE/server

labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/

www.onlyoffice.com/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

35.9%

JSON

Related for CVE-2021-43447

osv1 prion1 cvelist1 nvd1