Lucene search

GitHub Advisory DatabaseGHSA-FV48-HJHP-94C7

HistoryJul 26, 2021 - 9:20 p.m.

Incorrect Authorization in TeamPass

2021-07-2621:20:38

CWE-863

GitHub Advisory Database

github.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

73.7%

JSON

The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.

CPENameOperatorVersion
nilsteampassnet/teampassle2.1.27.36

CPE	Name	Operator	Version
	nilsteampassnet/teampass	le	2.1.27.36

References

github.com/advisories/GHSA-fv48-hjhp-94c7

github.com/nilsteampassnet/TeamPass/issues/2761

nvd.nist.gov/vuln/detail/CVE-2020-12477

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

73.7%

JSON

Related for GHSA-FV48-HJHP-94C7