CVE-2021-21265 - OpenCVE

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Octobercms	October

Configuration 1 [-]

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-10T21:15:15

Updated: 2024-08-03T18:09:15.269Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21265

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-10T22:15:12.057

Modified: 2021-03-18T16:48:53.473

Link: CVE-2021-21265

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "october", "vendor": "octobercms", "versions": [{"status": "affected", "version": "< 1.1.2"}]}], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-644", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-10T21:15:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"}], "source": {"advisory": "GHSA-xhfx-hgmf-v6vp", "discovery": "UNKNOWN"}, "title": "Potential Host Header Poisoning on misconfigured servers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21265", "STATE": "PUBLIC", "TITLE": "Potential Host Header Poisoning on misconfigured servers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "october", "version": {"version_data": [{"version_value": "< 1.1.2"}]}}]}, "vendor_name": "octobercms"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax"}]}]}, "references": {"reference_data": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp", "refsource": "CONFIRM", "url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"}, {"name": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6", "refsource": "MISC", "url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"}, {"name": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0", "refsource": "MISC", "url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"}]}, "source": {"advisory": "GHSA-xhfx-hgmf-v6vp", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.269Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21265", "datePublished": "2021-03-10T21:15:15", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.269Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*", "matchCriteriaId": "E34205D2-FCF8-4F33-8835-3CEA0E253936", "versionEndExcluding": "1.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."}, {"lang": "es", "value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autoinvitada basada en Laravel PHP Framework. En October versiones anteriores a 1.1.2, cuando se ejecuta en servidores mal configurados (es decir, el servidor enruta cualquier petici\u00f3n, independientemente del encabezado HOST hacia una instancia CMS de october), se presenta la posibilidad de que los ataques de Envenenamiento del Encabezado de host tengan \u00e9xito. Esto ha sido solucionado en la versi\u00f3n 1.1.2, al agregar una funci\u00f3n para permitir que se especifique un conjunto de hosts confiables en la aplicaci\u00f3n. Como soluci\u00f3n alternativa, puede establecerse el ajuste de configuraci\u00f3n cms.linkPolicy para forzar"}], "id": "CVE-2021-21265", "lastModified": "2021-03-18T16:48:53.473", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-10T22:15:12.057", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-644"}], "source": "security-advisories@github.com", "type": "Primary"}]}