CVE-2021-43175 (GCVE-0-2021-43175)

Vulnerability from cvelistv5 – Published: 2021-12-07 17:25 – Updated: 2024-08-04 03:47
VLAI?
Summary
The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
Severity ?
No CVSS data available.
CWE
  • CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
Impacted products
Vendor Product Version
GOautodial GOautodial API Affected: < 3c3a979
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:47:13.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GOautodial API",
          "vendor": "GOautodial",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3c3a979"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-305",
              "description": "CWE-305: Authentication Bypass by Primary Weakness",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-07T17:25:11",
        "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "shortName": "SNPS"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "disclosure@synopsys.com",
          "ID": "CVE-2021-43175",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GOautodial API",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 3c3a979"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GOautodial"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-305: Authentication Bypass by Primary Weakness"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities",
              "refsource": "MISC",
              "url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
    "assignerShortName": "SNPS",
    "cveId": "CVE-2021-43175",
    "datePublished": "2021-12-07T17:25:11",
    "dateReserved": "2021-11-01T00:00:00",
    "dateUpdated": "2024-08-04T03:47:13.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:goautodial:goautodial:4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"34D620FB-064A-42A2-9222-398A95B85275\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:goautodial:goautodial_api:2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0A227C38-0641-4F76-A524-DDE8A5FAB2C2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C\"}, {\"lang\": \"es\", \"value\": \"La API de GOautodial anterior al commit 3c3a979 realizado el 13 de octubre de 2021 expone un enrutador de la API que acepta un nombre de usuario, una contrase\\u00f1a y una acci\\u00f3n que dirige a otros archivos PHP que implementan las distintas funciones de la API. Las versiones vulnerables de GOautodial comprueban el nombre de usuario y la contrase\\u00f1a de forma incorrecta, permitiendo a la persona que llama especificar cualquier valor para estos par\\u00e1metros y autenticarse con \\u00e9xito. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C\"}]",
      "id": "CVE-2021-43175",
      "lastModified": "2024-11-21T06:28:46.387",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-12-07T18:15:06.993",
      "references": "[{\"url\": \"https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities\", \"source\": \"disclosure@synopsys.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "disclosure@synopsys.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"disclosure@synopsys.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-305\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-43175\",\"sourceIdentifier\":\"disclosure@synopsys.com\",\"published\":\"2021-12-07T18:15:06.993\",\"lastModified\":\"2024-11-21T06:28:46.387\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C\"},{\"lang\":\"es\",\"value\":\"La API de GOautodial anterior al commit 3c3a979 realizado el 13 de octubre de 2021 expone un enrutador de la API que acepta un nombre de usuario, una contrase\u00f1a y una acci\u00f3n que dirige a otros archivos PHP que implementan las distintas funciones de la API. Las versiones vulnerables de GOautodial comprueban el nombre de usuario y la contrase\u00f1a de forma incorrecta, permitiendo a la persona que llama especificar cualquier valor para estos par\u00e1metros y autenticarse con \u00e9xito. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"disclosure@synopsys.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-305\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goautodial:goautodial:4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34D620FB-064A-42A2-9222-398A95B85275\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goautodial:goautodial_api:2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A227C38-0641-4F76-A524-DDE8A5FAB2C2\"}]}]}],\"references\":[{\"url\":\"https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities\",\"source\":\"disclosure@synopsys.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.