Lucene search

GitHub Advisory DatabaseGHSA-H97F-5258-5593

HistorySep 01, 2021 - 6:32 p.m.

Incorrect Authorization in serverless-offline

2021-09-0118:32:22

CWE-863

GitHub Advisory Database

github.com

serverless

authorization

access control

http status code

trailing slash

amazon aws

permissions

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

80.7%

JSON

Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).

Affected configurations

Vulners

Node

serverlessofflineRange≤8.0.0

VendorProductVersionCPE
serverlessoffline*cpe:2.3:a:serverless:offline:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
serverless	offline	*	cpe:2.3:a:serverless:offline::::::::

References

github.com/advisories/GHSA-h97f-5258-5593

github.com/dherault/serverless-offline/issues/1259

nvd.nist.gov/vuln/detail/CVE-2021-38384

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

80.7%

JSON

Related for GHSA-H97F-5258-5593