CVE-2021-22538 - OpenCVE

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Exposure Notifications Verification Server

Configuration 1 [-]

cpe:2.3:a:google:exposure_notifications_verification_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95
https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1
https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0
https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2021-03-31T21:10:13

Updated: 2024-08-03T18:44:13.699Z

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22538

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-31T21:15:16.057

Modified: 2021-04-06T14:11:52.257

Link: CVE-2021-22538

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["all"], "product": "Exposure Notifications Verification Server", "vendor": "Google LLC", "versions": [{"lessThanOrEqual": "0.23.0", "status": "affected", "version": "stable", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Mazzolini (Ethical Hacker at WHO)"}], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-31T21:10:13", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0"}], "source": {"discovery": "UNKNOWN"}, "title": "Privilege escalation in RBAC system", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2021-22538", "STATE": "PUBLIC", "TITLE": "Privilege escalation in RBAC system"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Exposure Notifications Verification Server", "version": {"version_data": [{"platform": "all", "version_affected": "<=", "version_name": "stable", "version_value": "0.23.0"}]}}]}, "vendor_name": "Google LLC"}]}}, "credit": [{"lang": "eng", "value": "Michael Mazzolini (Ethical Hacker at WHO)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6", "refsource": "CONFIRM", "url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6"}, {"name": "https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95", "refsource": "CONFIRM", "url": "https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95"}, {"name": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1", "refsource": "CONFIRM", "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1"}, {"name": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0", "refsource": "CONFIRM", "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:44:13.699Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2021-22538", "datePublished": "2021-03-31T21:10:13", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2024-08-03T18:44:13.699Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:exposure_notifications_verification_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AB50BC0-EC62-473B-8550-917FB077D093", "versionEndExcluding": "0.23.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log."}, {"lang": "es", "value": "Una vulnerabilidad de escalada de privilegios que afecta al Google Exposure Notification Verification Server (versiones anteriores a 0.23.1), permite a un atacante que (1) tenga permisos de UserWrite y (2) est\u00e9 usando una petici\u00f3n cuidadosamente dise\u00f1ada o un proxy malicioso, crear otro usuario con un nivel de privilegios mayores que los suyos. Esto se presenta debido a controles insuficientes sobre el conjunto permitido de permisos. El evento de creaci\u00f3n de nuevo usuario se capturar\u00eda en el Registro de Eventos."}], "id": "CVE-2021-22538", "lastModified": "2021-04-06T14:11:52.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2021-03-31T21:15:16.057", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95"}, {"source": "cve-coordination@google.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1"}, {"source": "cve-coordination@google.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}