CVE-2021-38621 - Vulnerability Details - OpenCVE

The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netless	Flat Server

Configuration 1 [-]

cpe:2.3:a:netless:flat_server:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-13T14:05:14

Updated: 2024-08-04T01:44:23.543Z

Reserved: 2021-08-13T00:00:00

Link: CVE-2021-38621

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-13T15:15:07.160

Modified: 2024-11-21T06:17:44.033

Link: CVE-2021-38621

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-13T14:05:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2021-38621", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476", "refsource": "MISC", "url": "https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:23.543Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-38621", "datePublished": "2021-08-13T14:05:14", "dateReserved": "2021-08-13T00:00:00", "dateUpdated": "2024-08-04T01:44:23.543Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netless:flat_server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E2FC449C-D523-47D7-9CEE-4440943E291D", "versionEndExcluding": "2021-07-30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership."}, {"lang": "es", "value": "La API de eliminaci\u00f3n en el componente v1/controller/cloudStorage/alibabaCloud/remove/index.ts en el Agora Flat Server sin red antes del 30-07-2021, maneja inapropiadamente la propiedad de los archivos."}], "id": "CVE-2021-38621", "lastModified": "2024-11-21T06:17:44.033", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "[email protected]", "type": "Primary"}]}, "published": "2021-08-13T15:15:07.160", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/netless-io/flat-server/commit/425aa970f6366874c61aa1466527fced5501e476"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}