CVE-2021-32697 (GCVE-0-2021-32697)

Vulnerability from cvelistv5 – Published: 2021-06-21 18:15 – Updated: 2024-08-03 23:25
VLAI?
Title
Form validation can be skipped
Summary
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
neos form Affected: >= 1.2.0, < 4.3.3
Affected: >= 5.0.0, < 5.0.9
Affected: >= 5.1.0, < 5.1.3
Create a notification for this product.
Show details on NVD website
To clipboard Create KEV Entry 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:31.146Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/neos/form/releases/tag/5.1.3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "form",
          "vendor": "neos",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.0, \u003c 4.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.1.0, \u003c 5.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-21T18:15:13",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/neos/form/releases/tag/5.1.3"
        }
      ],
      "source": {
        "advisory": "GHSA-m5vx-8chx-qvmm",
        "discovery": "UNKNOWN"
      },
      "title": "Form validation can be skipped",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32697",
          "STATE": "PUBLIC",
          "TITLE": "Form validation can be skipped"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "form",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.2.0, \u003c 4.3.3"
                          },
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.0.9"
                          },
                          {
                            "version_value": "\u003e= 5.1.0, \u003c 5.1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "neos"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm",
              "refsource": "CONFIRM",
              "url": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm"
            },
            {
              "name": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1",
              "refsource": "MISC",
              "url": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1"
            },
            {
              "name": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567",
              "refsource": "MISC",
              "url": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
            },
            {
              "name": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246",
              "refsource": "MISC",
              "url": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246"
            },
            {
              "name": "https://github.com/neos/form/releases/tag/5.1.3",
              "refsource": "MISC",
              "url": "https://github.com/neos/form/releases/tag/5.1.3"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-m5vx-8chx-qvmm",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32697",
    "datePublished": "2021-06-21T18:15:13",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:25:31.146Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32697\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-06-21T19:15:08.073\",\"lastModified\":\"2024-11-21T06:07:33.163\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567\"},{\"lang\":\"es\",\"value\":\"neos/forms es un framework de c\u00f3digo abierto para construir formularios web. Al dise\u00f1ar una petici\u00f3n especial \\\"GET\\\" que contenga un estado de formulario v\u00e1lido, un formulario puede ser enviado sin invocar ning\u00fan validador. El estado del formulario est\u00e1 asegurado con un HMAC que sigue siendo comprobado. Esto significa que este problema s\u00f3lo puede ser explotado si los Form Finishers causan efectos secundarios incluso si no se han enviado valores de formulario. Los finalizadores de formularios pueden ajustarse de manera que s\u00f3lo ejecuten una acci\u00f3n si el formulario enviado contiene algunos datos esperados. Alternativamente se puede a\u00f1adir un finalizador personalizado como primer finalizador. Esta regresi\u00f3n se introdujo con https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:neos:form:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"4.3.3\",\"matchCriteriaId\":\"B2F4EB15-C82B-4C52-89D3-8230FE945E74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:neos:form:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.0.9\",\"matchCriteriaId\":\"11B52CB3-C5EC-4D14-B7EF-D19137425459\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:neos:form:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1.0\",\"versionEndExcluding\":\"5.1.3\",\"matchCriteriaId\":\"73FD3D5A-F8E8-4241-BB47-785226A371D8\"}]}]}],\"references\":[{\"url\":\"https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form/releases/tag/5.1.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form/releases/tag/5.1.3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.