4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
36.8%
When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:
A feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.
Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 & https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.
Check that the configuration setting cms.linkPolicy
is set to force
.
Check to make sure that your web server does not accept any hostname when serving your web application.
testing.tld
to your computer’s host file and direct it to your server’s IP addresstesting.tld
in your web browserIf an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.
Reported by Abdullah Hussam
If you have any questions or comments about this advisory:
<img width=“1108” alt=“Screen Shot 2021-01-15 at 4 12 57 PM” src=“https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png”>
CPE | Name | Operator | Version |
---|---|---|---|
october/backend | lt | 1.1.2 |
github.com/advisories/GHSA-xhfx-hgmf-v6vp
github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp
nvd.nist.gov/vuln/detail/CVE-2021-21265
packagist.org/packages/october/backend
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
36.8%