CVE-2021-21276 (GCVE-0-2021-21276)

Vulnerability from cvelistv5 – Published: 2021-02-01 00:00 – Updated: 2024-08-03 18:09
VLAI?
Title
Privilege escalation in Polr
Summary
Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.
Severity ?
9.3 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
cydrobolt polr Affected: < 2.3.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:15.162Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/cydrobolt/polr/releases/tag/2.3.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "polr",
          "vendor": "cydrobolt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users\u0027 settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-06T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc"
        },
        {
          "url": "https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675"
        },
        {
          "url": "https://github.com/cydrobolt/polr/releases/tag/2.3.0"
        },
        {
          "url": "http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html"
        }
      ],
      "source": {
        "advisory": "GHSA-vg6w-8w9v-xxqc",
        "discovery": "UNKNOWN"
      },
      "title": "Privilege escalation in Polr"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21276",
    "datePublished": "2021-02-01T00:00:00",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:15.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:polrproject:polr:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.3.0\", \"matchCriteriaId\": \"B8A352CC-B030-4010-B3AC-C2D7A584B038\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users\u0027 settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.\"}, {\"lang\": \"es\", \"value\": \"Polr es un acortador de URL de c\\u00f3digo abierto.\u0026#xa0;en Polr anterior a la versi\\u00f3n 2.3.0, una vulnerabilidad en el proceso de configuraci\\u00f3n permite a atacantes obtener acceso de administrador a las instancias del sitio, incluso si no poseen una cuenta existente.\u0026#xa0;Esta vulnerabilidad existe independientemente de la configuraci\\u00f3n de los usuarios.\u0026#xa0;Si un atacante crea una petici\\u00f3n con encabezados de cookies espec\\u00edficas para el endpoint /setup/finish, es posible que pueda obtener privilegios de administrador en la instancia.\u0026#xa0;Esto es causado por una comparaci\\u00f3n imprecisa (==) en SetupController que es susceptible de ataque.\u0026#xa0;El proyecto ha sido parcheado para garantizar que se utilice una comparaci\\u00f3n estricta (===) para verificar la clave de configuraci\\u00f3n, y que /setup/finish verifique que no exista ninguna tabla de usuarios antes de realizar algunas migraciones o aprovisionar cuentas nuevas.\u0026#xa0;Esto se corrige en la versi\\u00f3n 2.3.0. Los usuarios pueden parchear esta vulnerabilidad sin actualizar agregando abort (404) a la primera l\\u00ednea de finishSetup en SetupController.php\"}]",
      "id": "CVE-2021-21276",
      "lastModified": "2024-11-21T05:47:54.810",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-02-01T15:15:13.260",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cydrobolt/polr/releases/tag/2.3.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cydrobolt/polr/releases/tag/2.3.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21276\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-02-01T15:15:13.260\",\"lastModified\":\"2024-11-21T05:47:54.810\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users\u0027 settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.\"},{\"lang\":\"es\",\"value\":\"Polr es un acortador de URL de c\u00f3digo abierto.\u0026#xa0;en Polr anterior a la versi\u00f3n 2.3.0, una vulnerabilidad en el proceso de configuraci\u00f3n permite a atacantes obtener acceso de administrador a las instancias del sitio, incluso si no poseen una cuenta existente.\u0026#xa0;Esta vulnerabilidad existe independientemente de la configuraci\u00f3n de los usuarios.\u0026#xa0;Si un atacante crea una petici\u00f3n con encabezados de cookies espec\u00edficas para el endpoint /setup/finish, es posible que pueda obtener privilegios de administrador en la instancia.\u0026#xa0;Esto es causado por una comparaci\u00f3n imprecisa (==) en SetupController que es susceptible de ataque.\u0026#xa0;El proyecto ha sido parcheado para garantizar que se utilice una comparaci\u00f3n estricta (===) para verificar la clave de configuraci\u00f3n, y que /setup/finish verifique que no exista ninguna tabla de usuarios antes de realizar algunas migraciones o aprovisionar cuentas nuevas.\u0026#xa0;Esto se corrige en la versi\u00f3n 2.3.0. Los usuarios pueden parchear esta vulnerabilidad sin actualizar agregando abort (404) a la primera l\u00ednea de finishSetup en SetupController.php\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:polrproject:polr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.3.0\",\"matchCriteriaId\":\"B8A352CC-B030-4010-B3AC-C2D7A584B038\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cydrobolt/polr/releases/tag/2.3.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cydrobolt/polr/releases/tag/2.3.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.