ID GHSA-FP63-499M-HQ6M
Type github
Reporter GitHub Advisory Database
Modified 2021-07-12T23:09:42
Description
Impact
A vulnerability was found that allowed authenticated admin users to access any file on the server.
Patches
The vulnerability has been fixed in 3.0.4.
Workarounds
We recommend disabling the plugin if untrustworthy sources have admin access.
For more information
If you have any questions or comments about this advisory:
* Open an issue in ether/logs
{"id": "GHSA-FP63-499M-HQ6M", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "Files or Directories Accessible to External Parties in ether/logs", "description": "### Impact\nA vulnerability was found that allowed authenticated admin users to access any file on the server.\n\n### Patches\nThe vulnerability has been fixed in 3.0.4.\n\n### Workarounds\nWe recommend disabling the plugin if untrustworthy sources have admin access.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [ether/logs](https://github.com/ethercreative/logs/issues)\n", "published": "2021-07-12T16:53:00", "modified": "2021-07-12T23:09:42", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6}, "href": "https://github.com/advisories/GHSA-fp63-499m-hq6m", "reporter": "GitHub Advisory Database", "references": ["https://github.com/ethercreative/logs/security/advisories/GHSA-fp63-499m-hq6m", "https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4", "https://github.com/ethercreative/logs/releases/tag/3.0.4", "https://nvd.nist.gov/vuln/detail/CVE-2021-32752", "https://github.com/advisories/GHSA-fp63-499m-hq6m"], "cvelist": ["CVE-2021-32752"], "immutableFields": [], "lastseen": "2021-12-22T11:52:00", "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-32752"]}, {"type": "osv", "idList": ["OSV:GHSA-FP63-499M-HQ6M"]}], "rev": 4}, "score": {"value": 3.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-32752"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}]}, "exploitation": null, "vulnersScore": 3.9}, "affectedSoftware": [{"version": "3.0.4", "operator": "lt", "ecosystem": "COMPOSER", "name": "ether/logs"}], "_state": {"dependencies": 1646083452}}
{"osv": [{"lastseen": "2022-05-12T01:08:43", "description": "### Impact\nA vulnerability was found that allowed authenticated admin users to access any file on the server.\n\n### Patches\nThe vulnerability has been fixed in 3.0.4.\n\n### Workarounds\nWe recommend disabling the plugin if untrustworthy sources have admin access.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [ether/logs](https://github.com/ethercreative/logs/issues)\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-12T16:53:00", "type": "osv", "title": "Files or Directories Accessible to External Parties in ether/logs", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32752"], "modified": "2021-07-09T14:04:21", "id": "OSV:GHSA-FP63-499M-HQ6M", "href": "https://osv.dev/vulnerability/GHSA-fp63-499m-hq6m", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T18:32:51", "description": "Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. A vulnerability was found in versions prior to 3.0.4 that allowed authenticated admin users to access any file on the server. The vulnerability has been fixed in version 3.0.4. As a workaround, one may disable the plugin if untrustworthy sources have admin access.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-09T14:15:00", "type": "cve", "title": "CVE-2021-32752", "cwe": ["CWE-552"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32752"], "modified": "2021-07-22T12:56:00", "cpe": [], "id": "CVE-2021-32752", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32752", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}]}
