Lucene search

GoogleOSV:CVE-2021-3138

HistoryJan 14, 2021 - 4:15 a.m.

CVE-2021-3138

2021-01-1404:15:15

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.018 Low

EPSS

Percentile

88.0%

JSON

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.

CPENameOperatorVersion
discourseeq1.1.0.beta4
discourseeq1.7.0.beta3
discourseeq0.9.7.5
discourseeq1.5.0.beta6
discourseeq0.9.8.4
discourseeq1.1.0.beta3
discourseeq1.7.0.beta10
discourseeq1.8.7
discourseeq0.9.9.10
discourseeq1.7.1

Name	Operator	Version
discourse	eq	1.1.0.beta4
discourse	eq	1.7.0.beta3
discourse	eq	0.9.7.5
discourse	eq	1.5.0.beta6
discourse	eq	0.9.8.4
discourse	eq	1.1.0.beta3
discourse	eq	1.7.0.beta10
discourse	eq	1.8.7
discourse	eq	0.9.9.10
discourse	eq	1.7.1

Rows per page:

1-10 of 3551

References

packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html

github.com/discourse/discourse/releases

github.com/Mesh3l911/Disource

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.018 Low

EPSS

Percentile

88.0%

JSON

Related for OSV:CVE-2021-3138