Lucene search

GitHub Advisory DatabaseGHSA-6566-9526-52V6

HistoryFeb 10, 2022 - 8:48 p.m.

Exposure of Sensitive Information to an Unauthorized Actor in Concord

2022-02-1020:48:47

CWE-200

GitHub Advisory Database

github.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

57.7%

JSON

An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Access-Control-Allow-Origin headers have a potentially unsafe dependency on Origin headers, and are not configurable. This allows remote attackers to discover host information, nodes, API metadata, and references to usernames via api/v1/apikey.

CPENameOperatorVersion
com.walmartlabs.concord.docker:concord-commonlt1.44.0

CPE	Name	Operator	Version
	com.walmartlabs.concord.docker:concord-common	lt	1.44.0

References

github.com/advisories/GHSA-6566-9526-52v6

github.com/walmartlabs/concord/compare/1.43.0...1.44.0

github.com/walmartlabs/concord/issues/22

nvd.nist.gov/vuln/detail/CVE-2020-10591

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

57.7%

JSON

Related for GHSA-6566-9526-52V6