CVE-2021-36804 (GCVE-0-2021-36804)

Vulnerability from cvelistv5 – Published: 2021-08-04 22:20 – Updated: 2024-09-16 17:04
VLAI?
Summary
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
Impacted products
Vendor Product Version
Akaunting Akaunting Affected: 2.1.12 , ≤ 2.1.12 (custom)
Create a notification for this product.
Credits
Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 discovered and reported this issue through Rapid7's vulnerability disclosure program.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:01:59.214Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/laravel/laravel/pull/5477"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Akaunting",
          "vendor": "Akaunting",
          "versions": [
            {
              "lessThanOrEqual": "2.1.12",
              "status": "affected",
              "version": "2.1.12",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Wiktor S\u0119dkowski of Nokia and Trevor Christiansen of Rapid7 discovered and reported this issue through Rapid7\u0027s vulnerability disclosure program."
        }
      ],
      "datePublic": "2021-07-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target\u0027s e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-04T22:20:44",
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/laravel/laravel/pull/5477"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Akaunting Password Reset Relay",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@rapid7.com",
          "DATE_PUBLIC": "2021-07-27T13:05:00.000Z",
          "ID": "CVE-2021-36804",
          "STATE": "PUBLIC",
          "TITLE": "Akaunting Password Reset Relay"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Akaunting",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2.1.12",
                            "version_value": "2.1.12"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Akaunting"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Wiktor S\u0119dkowski of Nokia and Trevor Christiansen of Rapid7 discovered and reported this issue through Rapid7\u0027s vulnerability disclosure program."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target\u0027s e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/",
              "refsource": "MISC",
              "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"
            },
            {
              "name": "https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html",
              "refsource": "MISC",
              "url": "https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html"
            },
            {
              "name": "https://github.com/laravel/laravel/pull/5477",
              "refsource": "MISC",
              "url": "https://github.com/laravel/laravel/pull/5477"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "cveId": "CVE-2021-36804",
    "datePublished": "2021-08-04T22:20:44.678845Z",
    "dateReserved": "2021-07-19T00:00:00",
    "dateUpdated": "2024-09-16T17:04:02.713Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:akaunting:akaunting:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.1.13\", \"matchCriteriaId\": \"1C0E3BA7-1D63-44C7-B536-A68FB76A3126\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target\u0027s e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.\"}, {\"lang\": \"es\", \"value\": \"Akaunting versiones 2.1.12 y anteriores, sufren de una vulnerabilidad de suplantaci\\u00f3n de restablecimiento de contrase\\u00f1a, donde un atacante puede delegar peticiones de restablecimiento de contrase\\u00f1a mediante una instancia de Akaunting en ejecuci\\u00f3n, si ese atacante conoce la direcci\\u00f3n de correo electr\\u00f3nico del objetivo. Este problema se ha corregido en la versi\\u00f3n 2.1.13 del producto. Tenga en cuenta que este problema es causado en \\u00faltima instancia por los valores predeterminados proporcionados por el marco de Laravel, espec\\u00edficamente c\\u00f3mo se manejan los encabezados de proxy con respecto a las implementaciones multi-tenant. En otras palabras, mientras que esto no es t\\u00e9cnicamente una vulnerabilidad en Laravel, esta configuraci\\u00f3n predeterminada es muy probable que conlleve a vulnerabilidades pr\\u00e1cticamente id\\u00e9nticas en proyectos de Laravel que implementen aplicaciones multi-tenant\"}]",
      "id": "CVE-2021-36804",
      "lastModified": "2024-11-21T06:14:08.323",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@rapid7.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\", \"baseScore\": 5.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-08-04T23:15:08.243",
      "references": "[{\"url\": \"https://github.com/laravel/laravel/pull/5477\", \"source\": \"cve@rapid7.com\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html\", \"source\": \"cve@rapid7.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/\", \"source\": \"cve@rapid7.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/laravel/laravel/pull/5477\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@rapid7.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cve@rapid7.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-640\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-640\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-36804\",\"sourceIdentifier\":\"cve@rapid7.com\",\"published\":\"2021-08-04T23:15:08.243\",\"lastModified\":\"2024-11-21T06:14:08.323\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target\u0027s e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.\"},{\"lang\":\"es\",\"value\":\"Akaunting versiones 2.1.12 y anteriores, sufren de una vulnerabilidad de suplantaci\u00f3n de restablecimiento de contrase\u00f1a, donde un atacante puede delegar peticiones de restablecimiento de contrase\u00f1a mediante una instancia de Akaunting en ejecuci\u00f3n, si ese atacante conoce la direcci\u00f3n de correo electr\u00f3nico del objetivo. Este problema se ha corregido en la versi\u00f3n 2.1.13 del producto. Tenga en cuenta que este problema es causado en \u00faltima instancia por los valores predeterminados proporcionados por el marco de Laravel, espec\u00edficamente c\u00f3mo se manejan los encabezados de proxy con respecto a las implementaciones multi-tenant. En otras palabras, mientras que esto no es t\u00e9cnicamente una vulnerabilidad en Laravel, esta configuraci\u00f3n predeterminada es muy probable que conlleve a vulnerabilidades pr\u00e1cticamente id\u00e9nticas en proyectos de Laravel que implementen aplicaciones multi-tenant\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@rapid7.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"cve@rapid7.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-640\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-640\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:akaunting:akaunting:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.13\",\"matchCriteriaId\":\"1C0E3BA7-1D63-44C7-B536-A68FB76A3126\"}]}]}],\"references\":[{\"url\":\"https://github.com/laravel/laravel/pull/5477\",\"source\":\"cve@rapid7.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html\",\"source\":\"cve@rapid7.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/\",\"source\":\"cve@rapid7.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/laravel/laravel/pull/5477\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.laravel-enlightn.com/docs/security/host-injection-analyzer.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.