Lucene search

GitHub_MCVELIST:CVE-2021-41191

HistoryOct 27, 2021 - 8:30 p.m.

CVE-2021-41191 API giving out files without key

2021-10-2720:30:11

CWE-116

GitHub_M

www.cve.org

cve-2021-41191

api

file access

security risk

roblox

product purchasing

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

49.2%

JSON

Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone’s API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add @require_apikey in BOT/lib/cogs/website.py under the route for /v1/products.

CNA Affected

[
  {
    "product": "Roblox-Purchasing-Hub",
    "vendor": "Redon-Tech",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.0.2"
      }
    ]
  }
]

References

github.com/Redon-Tech/Roblox-Purchasing-Hub/commit/58a22260eca40b1a0377daf61ccd8c4dc1440e03

github.com/Redon-Tech/Roblox-Purchasing-Hub/releases/tag/V1.0.2

github.com/Redon-Tech/Roblox-Purchasing-Hub/security/advisories/GHSA-76mx-6584-4v8q

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

49.2%

JSON

Related for CVELIST:CVE-2021-41191