Vulnerability-Lookup

CNVD-2022-09771

Vulnerability from cnvd - Published: 2022-02-11

Title

Ifme访问控制错误漏洞

Description

Ifme是开源的一个心理健康体验社区，鼓励人们与可信赖的盟友分享他们的个人故事。 ifme存在访问控制错误漏洞，攻击者可利用该漏洞导致管理员从Ifme帐户中停用并完全失去对Ifme的管理员访问权限。

Severity

中

Patch Name

Ifme访问控制错误漏洞的补丁

Patch Description

Ifme是开源的一个心理健康体验社区，鼓励人们与可信赖的盟友分享他们的个人故事。 ifme存在访问控制错误漏洞，攻击者可利用该漏洞导致管理员从Ifme帐户中停用并完全失去对Ifme的管理员访问权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-25991

Impacted products

Name
Ifme Ifme >=5.0.0，<=7.32

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-25991"
    }
  },
  "description": "Ifme\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u5fc3\u7406\u5065\u5eb7\u4f53\u9a8c\u793e\u533a\uff0c\u9f13\u52b1\u4eba\u4eec\u4e0e\u53ef\u4fe1\u8d56\u7684\u76df\u53cb\u5206\u4eab\u4ed6\u4eec\u7684\u4e2a\u4eba\u6545\u4e8b\u3002\n\nifme\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7ba1\u7406\u5458\u4eceIfme\u5e10\u6237\u4e2d\u505c\u7528\u5e76\u5b8c\u5168\u5931\u53bb\u5bf9Ifme\u7684\u7ba1\u7406\u5458\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-09771",
  "openTime": "2022-02-11",
  "patchDescription": "Ifme\u662f\u5f00\u6e90\u7684\u4e00\u4e2a\u5fc3\u7406\u5065\u5eb7\u4f53\u9a8c\u793e\u533a\uff0c\u9f13\u52b1\u4eba\u4eec\u4e0e\u53ef\u4fe1\u8d56\u7684\u76df\u53cb\u5206\u4eab\u4ed6\u4eec\u7684\u4e2a\u4eba\u6545\u4e8b\u3002\r\n\r\nifme\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7ba1\u7406\u5458\u4eceIfme\u5e10\u6237\u4e2d\u505c\u7528\u5e76\u5b8c\u5168\u5931\u53bb\u5bf9Ifme\u7684\u7ba1\u7406\u5458\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ifme\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Ifme Ifme \u003e=5.0.0\uff0c\u003c=7.32"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-25991",
  "serverity": "\u4e2d",
  "submitTime": "2021-12-30",
  "title": "Ifme\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2021-25991 (GCVE-0-2021-25991)

Vulnerability from cvelistv5 – Published: 2021-12-29 09:10 – Updated: 2025-04-30 15:43

Title

ifme - Improper Access Control leads to admin deactivation

Summary

In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.

Severity ?

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-284 - Improper Access Control

Assigner

Mend

References

2 references

URL	Tags
https://github.com/ifmeorg/ifme/commit/d1f570c458…	x_refsource_MISC
https://www.whitesourcesoftware.com/vulnerability…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
ifmeorg	ifme	Affected: v5.0.0 , < unspecified (custom) Affected: unspecified , ≤ v7.32 (custom)

Date Public ?

2021-12-27 00:00

Credits

WhiteSource Vulnerability Research Team (WVR)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:19:19.411Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-25991",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:27:29.587587Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:43:44.984Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ifme",
          "vendor": "ifmeorg",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "v5.0.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v7.32",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "WhiteSource Vulnerability Research Team (WVR)"
        }
      ],
      "datePublic": "2021-12-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-29T18:24:22.000Z",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update version to v7.32.1 or later"
        }
      ],
      "source": {
        "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "ifme - Improper Access Control leads to admin deactivation",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
          "DATE_PUBLIC": "2021-12-27T08:22:00.000Z",
          "ID": "CVE-2021-25991",
          "STATE": "PUBLIC",
          "TITLE": "ifme - Improper Access Control leads to admin deactivation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ifme",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "v5.0.0"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "v7.32"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ifmeorg"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "WhiteSource Vulnerability Research Team (WVR)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284 Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923",
              "refsource": "MISC",
              "url": "https://github.com/ifmeorg/ifme/commit/d1f570c458d41667df801fc9c40a18b181a2d923"
            },
            {
              "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991",
              "refsource": "MISC",
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25991"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update version to v7.32.1 or later"
          }
        ],
        "source": {
          "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2021-25991",
    "datePublished": "2021-12-29T09:10:19.040Z",
    "dateReserved": "2021-01-22T00:00:00.000Z",
    "dateUpdated": "2025-04-30T15:43:44.984Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-09771

CVE-2021-25991 (GCVE-0-2021-25991)

Tags

Sightings

Nomenclature