CVE-2021-36802 - OpenCVE

Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Akaunting	Akaunting

Configuration 1 [-]

cpe:2.3:a:akaunting:akaunting:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/

History

No history.

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2021-08-04T22:20:41.632860Z

Updated: 2024-09-17T00:11:15.201Z

Reserved: 2021-07-19T00:00:00

Link: CVE-2021-36802

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-04T23:15:08.103

Modified: 2021-08-11T14:03:29.907

Link: CVE-2021-36802

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Akaunting", "vendor": "Akaunting", "versions": [{"lessThanOrEqual": "2.1.12", "status": "affected", "version": "2.1.12", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Wiktor S\u0119dkowski of Nokia and Trevor Christiansen of Rapid7 discovered and reported this issue through Rapid7's vulnerability disclosure program."}], "datePublic": "2021-07-27T00:00:00", "descriptions": [{"lang": "en", "value": "Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "description": "CWE-248: Uncaught Exception Denial of Service", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-04T22:20:41", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"}], "source": {"discovery": "EXTERNAL"}, "title": "Akaunting DoS via User-Controlled 'locale' Variable", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2021-07-27T13:05:00.000Z", "ID": "CVE-2021-36802", "STATE": "PUBLIC", "TITLE": "Akaunting DoS via User-Controlled 'locale' Variable"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Akaunting", "version": {"version_data": [{"version_affected": "<=", "version_name": "2.1.12", "version_value": "2.1.12"}]}}]}, "vendor_name": "Akaunting"}]}}, "credit": [{"lang": "eng", "value": "Wiktor S\u0119dkowski of Nokia and Trevor Christiansen of Rapid7 discovered and reported this issue through Rapid7's vulnerability disclosure program."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-248: Uncaught Exception Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/", "refsource": "MISC", "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.214Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2021-36802", "datePublished": "2021-08-04T22:20:41.632860Z", "dateReserved": "2021-07-19T00:00:00", "dateUpdated": "2024-09-17T00:11:15.201Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:akaunting:akaunting:*:*:*:*:*:*:*:*", "matchCriteriaId": "C49D192D-B2AB-4D0F-9807-5DDF3C4EE3F7", "versionEndIncluding": "2.1.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product."}, {"lang": "es", "value": "Akaunting versiones 2.1.12 y anteriores de sufren un problema de denegaci\u00f3n de servicio que es desencadenado al establecer una variable \"locale\" malformada y enviarla en una petici\u00f3n HTTP POST que, por lo dem\u00e1s, es normal. Este problema se ha corregido en la versi\u00f3n 2.1.13 del producto"}], "id": "CVE-2021-36802", "lastModified": "2021-08-11T14:03:29.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2021-08-04T23:15:08.103", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.rapid7.com/blog/post/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-248"}], "source": "cve@rapid7.com", "type": "Secondary"}]}