cnvd - cnvd-2021-102394

CNVD-2021-102394

Vulnerability from cnvd - Published: 2021-12-24

Title

Galette跨站请求伪造漏洞

Description

Galette是开源的一个面向非营利组织的会员管理网络应用程序。 Galette存在跨站请求伪造漏洞，该漏洞源于Galette 0.9.6版本及之前的版本未能检查跨站点请求伪造攻击。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Galette跨站请求伪造漏洞的补丁

Patch Description

Galette是开源的一个面向非营利组织的会员管理网络应用程序。 Galette存在跨站请求伪造漏洞，该漏洞源于Galette 0.9.6版本及之前的版本未能检查跨站点请求伪造攻击。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/galette/galette/commit/a5602bca2566f1be370631c3ab2d40feedd4b3ad

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-41260

Impacted products

Name
Galette Galette <0.9.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41260"
    }
  },
  "description": "Galette\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u9762\u5411\u975e\u8425\u5229\u7ec4\u7ec7\u7684\u4f1a\u5458\u7ba1\u7406\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u3002\n\nGalette\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eGalette 0.9.6\u7248\u672c\u53ca\u4e4b\u524d\u7684\u7248\u672c\u672a\u80fd\u68c0\u67e5\u8de8\u7ad9\u70b9\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/galette/galette/commit/a5602bca2566f1be370631c3ab2d40feedd4b3ad",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-102394",
  "openTime": "2021-12-24",
  "patchDescription": "Galette\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u9762\u5411\u975e\u8425\u5229\u7ec4\u7ec7\u7684\u4f1a\u5458\u7ba1\u7406\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nGalette\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eGalette 0.9.6\u7248\u672c\u53ca\u4e4b\u524d\u7684\u7248\u672c\u672a\u80fd\u68c0\u67e5\u8de8\u7ad9\u70b9\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Galette\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Galette Galette \u003c0.9.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41260",
  "serverity": "\u4e2d",
  "submitTime": "2021-12-17",
  "title": "Galette\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2021-41260 (GCVE-0-2021-41260)

Vulnerability from cvelistv5 – Published: 2021-12-16 18:10 – Updated: 2024-08-04 03:08

Title

Missing CSRF checks in Galette

Summary

Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/galette/galette/security/advis…	x_refsource_CONFIRM
	https://github.com/galette/galette/commit/a5602bc…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	galette	galette	Affected: < 0.9.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.567Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/galette/galette/security/advisories/GHSA-hw28-c7px-xqm5"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/galette/galette/commit/a5602bca2566f1be370631c3ab2d40feedd4b3ad"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "galette",
          "vendor": "galette",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-16T18:10:10",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/galette/galette/security/advisories/GHSA-hw28-c7px-xqm5"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/galette/galette/commit/a5602bca2566f1be370631c3ab2d40feedd4b3ad"
        }
      ],
      "source": {
        "advisory": "GHSA-hw28-c7px-xqm5",
        "discovery": "UNKNOWN"
      },
      "title": "Missing CSRF checks in Galette",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41260",
          "STATE": "PUBLIC",
          "TITLE": "Missing CSRF checks in Galette"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "galette",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.9.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "galette"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/galette/galette/security/advisories/GHSA-hw28-c7px-xqm5",
              "refsource": "CONFIRM",
              "url": "https://github.com/galette/galette/security/advisories/GHSA-hw28-c7px-xqm5"
            },
            {
              "name": "https://github.com/galette/galette/commit/a5602bca2566f1be370631c3ab2d40feedd4b3ad",
              "refsource": "MISC",
              "url": "https://github.com/galette/galette/commit/a5602bca2566f1be370631c3ab2d40feedd4b3ad"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-hw28-c7px-xqm5",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41260",
    "datePublished": "2021-12-16T18:10:11",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.567Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-102394

CVE-2021-41260 (GCVE-0-2021-41260)

Tags

Sightings

Nomenclature