{"vulnerability": "CVE-2021-4119", "sightings": [{"uuid": "b47576c2-f795-4d95-8445-154089b910fd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41193", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/13114", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2021-41193\n\ud83d\udd25 CVSS Score: 9.8 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\ud83d\udd39 Description: wire-avs is the audio visual signaling (AVS) component of Wire, an open-source messenger. A remote format string vulnerability in versions prior to 7.1.12 allows an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 7.1.12. There are currently no known workarounds.\n\ud83d\udccf Published: 2022-03-01T18:25:22.000Z\n\ud83d\udccf Modified: 2025-04-23T18:59:49.177Z\n\ud83d\udd17 References:\n1. https://github.com/wireapp/wire-avs/security/advisories/GHSA-2j6v-xpf3-xvrv\n2. https://github.com/wireapp/wire-avs/commit/40d373ede795443ae6f2f756e9fb1f4f4ae90bbe", "creation_timestamp": "2025-04-23T19:05:06.000000Z"}, {"uuid": "85c9d6a6-81fd-476c-87a4-7c03fb8d4253", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41192", "type": "published-proof-of-concept", "source": "https://t.me/m1swarr1or/52", "content": "Redash Exploiting (CVE-2021-41192)\n\nRedash is a package for data visualization and sharing. \nIf an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.\n\nhttps://ian.sh/redash\n\n#redash #cve #research", "creation_timestamp": "2022-01-07T09:08:06.000000Z"}, {"uuid": "fece6eb0-b188-43b5-b1b3-b478cc99a9f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41193", "type": "seen", "source": "https://t.me/cibsecurity/38279", "content": "\u203c CVE-2021-41193 \u203c\n\nwire-avs is the audio visual signaling (AVS) component of Wire, an open-source messenger. A remote format string vulnerability in versions prior to 7.1.12 allows an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 7.1.12. There are currently no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-03-01T22:23:39.000000Z"}, {"uuid": "4f7d619d-0814-48f7-b611-7877af7267c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-4119", "type": "seen", "source": "https://t.me/cibsecurity/34095", "content": "\u203c CVE-2021-4119 \u203c\n\nbookstack is vulnerable to Improper Access Control\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-15T22:40:22.000000Z"}, {"uuid": "1c931fbf-44f0-4a07-bf1c-9995b1c6164c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41192", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/32956", "content": "\u203c CVE-2021-41192 \u203c\n\nRedash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-24T18:27:12.000000Z"}, {"uuid": "146b0eab-daa9-4bc9-9a50-8fe7279918a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41194", "type": "seen", "source": "https://t.me/cibsecurity/31438", "content": "\u203c CVE-2021-41194 \u203c\n\nFirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-29T00:18:39.000000Z"}, {"uuid": "6127b6a6-bcb1-495e-8fbc-841d4b294add", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41191", "type": "seen", "source": "https://t.me/cibsecurity/31332", "content": "\u203c CVE-2021-41191 \u203c\n\nRoblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website.py` under the route for `/v1/products`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-28T00:16:27.000000Z"}, {"uuid": "5bebb710-30d3-404c-9a36-89f6630886f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41190", "type": "seen", "source": "https://t.me/cibsecurity/32566", "content": "\u203c CVE-2021-41190 \u203c\n\nThe OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cmanifests\u00c3\u00a2\u00e2\u201a\u00ac? and \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201clayers\u00c3\u00a2\u00e2\u201a\u00ac? fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cmanifests\u00c3\u00a2\u00e2\u201a\u00ac? and \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201clayers\u00c3\u00a2\u00e2\u201a\u00ac? fields or \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cmanifests\u00c3\u00a2\u00e2\u201a\u00ac? and \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cconfig\u00c3\u00a2\u00e2\u201a\u00ac? fields if they are unable to update to version 1.0.1 of the spec.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-17T22:20:54.000000Z"}, {"uuid": "bd9c5601-2e07-42ea-9a76-5bb8f1c6bd59", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-41192", "type": "published-proof-of-concept", "source": "https://t.me/thebugbountyhunter/5923", "content": "Exploiting Redash instances with CVE-2021-41192\n\nhttps://ian.sh/redash", "creation_timestamp": "2022-01-06T23:19:20.000000Z"}]}