Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for grav_admin by getgrav

    CVE-2021-29439 (GCVE-0-2021-29439)

    Vulnerability from nvd – Published: 2021-04-13 19:45 – Updated: 2024-08-03 22:02
    VLAI
    Title
    Plugins can be installed with minimal admin privileges
    Summary
    The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    getgrav grav-plugin-admin Affected: < 1.10.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:51.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq"
              },
              {
                "name": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "grav-plugin-admin",
              "vendor": "getgrav",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.10.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Grav admin plugin prior to version 1.10.11 does not correctly verify caller\u0027s privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-06T21:25:34.348Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq"
            },
            {
              "name": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1"
            }
          ],
          "source": {
            "advisory": "GHSA-wg37-cf5x-55hq",
            "discovery": "UNKNOWN"
          },
          "title": "Plugins can be installed with minimal admin privileges"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-29439",
        "datePublished": "2021-04-13T19:45:15.000Z",
        "dateReserved": "2021-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T22:02:51.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29439 (GCVE-0-2021-29439)

    Vulnerability from cvelistv5 – Published: 2021-04-13 19:45 – Updated: 2024-08-03 22:02
    VLAI
    Title
    Plugins can be installed with minimal admin privileges
    Summary
    The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    getgrav grav-plugin-admin Affected: < 1.10.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:51.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq"
              },
              {
                "name": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "grav-plugin-admin",
              "vendor": "getgrav",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.10.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Grav admin plugin prior to version 1.10.11 does not correctly verify caller\u0027s privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitive and elevate their privileges on the instance. The vulnerability has been addressed in version 1.10.11. As a mitigation blocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-06T21:25:34.348Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq"
            },
            {
              "name": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1"
            }
          ],
          "source": {
            "advisory": "GHSA-wg37-cf5x-55hq",
            "discovery": "UNKNOWN"
          },
          "title": "Plugins can be installed with minimal admin privileges"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-29439",
        "datePublished": "2021-04-13T19:45:15.000Z",
        "dateReserved": "2021-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T22:02:51.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }