1. CVE-Search
  2. CVE-2021-21276
ID CVE-2021-21276
Summary Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.
References
Vulnerable Configurations
  • cpe:2.3:a:polrproject:polr:0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:0.1.5:rc2:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:0.1.5:rc2:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:0.2:alpha:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:0.2:alpha:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:0.2.2:alpha:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:0.2.2:alpha:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:0.2.3:alpha:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:0.2.3:alpha:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:0.11:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.0.0:b:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.0.0:b:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.0.0:b-c:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.0.0:b-c:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.0.0:b-d:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.0.0:b-d:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.2.4:be:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.2.4:be:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.2.5:beta:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.2.5:beta:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.3.2:b:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.3.2:b:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.4.1:-:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.4.1:-:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.4.1:beta:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.4.1:beta:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.0.0:a1:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.0.0:a1:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.0.0:a2:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.0.0:a2:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.0.0:b1:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.0.0:b1:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polrproject:polr:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:polrproject:polr:2.2.0:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 06-04-2023 - 17:15)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:N
Last major update 06-04-2023 - 17:15
Published 01-02-2021 - 15:15
Last modified 06-04-2023 - 17:15
Back to Top