Lucene search

PegaCVELIST:CVE-2021-27654

HistoryJan 28, 2022 - 7:09 p.m.

CVE-2021-27654

2022-01-2819:09:31

CWE-640

Pega

www.cve.org

password reset

local accounts

authentication checks

bypass

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Forgotten password reset functionality for local accounts can be used to bypass local authentication checks.

CNA Affected

[
  {
    "product": "Pega Infinity",
    "vendor": "Pegasystems",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "8.2.1",
        "versionType": "custom"
      },
      {
        "lessThan": "8.6.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

collaborate.pega.com/discussion/pega-security-advisory-c21

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVELIST:CVE-2021-27654