Lucene search

GitHub_MCVELIST:CVE-2021-39196

HistorySep 07, 2021 - 6:55 p.m.

CVE-2021-39196 Authenticated non-privileged user can request unfiltered data without adequate permissions in pcapture

2021-09-0718:55:11

CWE-287

GitHub_M

www.cve.org

pcapture

web service

vulnerability

authenticated user

rest api

capture filter

data capture

upgrade

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

43.0%

JSON

pcapture is an open source dumpcap web service interface . In affected versions this vulnerability allows an authenticated but unprivileged user to use the REST API to capture and download packets with no capture filter and without adequate permissions. This is important because the capture filters can effectively limit the scope of information that a user can see in the data captures. If no filter is present, then all data on the local network segment where the program is running can be captured and downloaded. v3.12 fixes this problem. There is no workaround, you must upgrade to v3.12 or greater.

CNA Affected

[
  {
    "product": "pcapture",
    "vendor": "jdhwpgmbca",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.12"
      }
    ]
  }
]

References

github.com/jdhwpgmbca/pcapture/commit/0f74f431e0970a2e5784dbd955cfa4760e3b1ef7

github.com/jdhwpgmbca/pcapture/issues/7

github.com/jdhwpgmbca/pcapture/security/advisories/GHSA-3r67-fxpr-p2qx

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

43.0%

JSON

Related for CVELIST:CVE-2021-39196