CVE-2021-41189 - OpenCVE

DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Duraspace	Dspace

Configuration 1 [-]

cpe:2.3:a:duraspace:dspace:7.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041
https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a
https://github.com/DSpace/DSpace/issues/7928
https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-29T17:25:10

Updated: 2024-08-04T03:08:31.307Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41189

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-29T18:15:08.167

Modified: 2021-11-03T12:47:36.327

Link: CVE-2021-41189

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DSpace", "vendor": "DSpace", "versions": [{"status": "affected", "version": ">= 7.0, < 7.1"}]}], "descriptions": [{"lang": "en", "value": "DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-29T17:25:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/issues/7928"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a"}], "source": {"advisory": "GHSA-cf2j-vf36-c6w8", "discovery": "UNKNOWN"}, "title": "Communities and collections administrators can escalate their privilege up to system administrator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41189", "STATE": "PUBLIC", "TITLE": "Communities and collections administrators can escalate their privilege up to system administrator"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DSpace", "version": {"version_data": [{"version_value": ">= 7.0, < 7.1"}]}}]}, "vendor_name": "DSpace"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8", "refsource": "CONFIRM", "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8"}, {"name": "https://github.com/DSpace/DSpace/issues/7928", "refsource": "MISC", "url": "https://github.com/DSpace/DSpace/issues/7928"}, {"name": "https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041", "refsource": "MISC", "url": "https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041"}, {"name": "https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a", "refsource": "MISC", "url": "https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a"}]}, "source": {"advisory": "GHSA-cf2j-vf36-c6w8", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.307Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/issues/7928"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41189", "datePublished": "2021-10-29T17:25:10", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.307Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:duraspace:dspace:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC2273B4-D6B6-4968-BF9A-65812B5799A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings."}, {"lang": "es", "value": "DSpace es una aplicaci\u00f3n de repositorio de c\u00f3digo abierto llave en mano. En la versi\u00f3n 7.0, cualquier administrador de una comunidad o colecci\u00f3n puede escalar sus permisos hasta convertirse en administrador del sistema. Esta vulnerabilidad s\u00f3lo se presenta en la versi\u00f3n 7.0 y no afecta a las versiones 6.x o por debajo. Este problema est\u00e1 parcheado en la versi\u00f3n 7.1. Como soluci\u00f3n, los usuarios de la versi\u00f3n 7.0 pueden deshabilitar temporalmente la capacidad para los administradores de comunidades o colecciones para administrar los permisos o la configuraci\u00f3n de los flujos de trabajo"}], "id": "CVE-2021-41189", "lastModified": "2021-11-03T12:47:36.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-10-29T18:15:08.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/DSpace/DSpace/issues/7928"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}