CVE-2021-43447 - Vulnerability Details - OpenCVE

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Onlyoffice	Server

Configuration 1 [-]

cpe:2.3:a:onlyoffice:server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ONLYOFFICE/server
https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/
https://www.onlyoffice.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-23T00:00:00

Updated: 2024-08-04T03:55:29.295Z

Reserved: 2021-11-08T00:00:00

Link: CVE-2021-43447

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-23T15:15:13.397

Modified: 2024-11-21T06:29:14.573

Link: CVE-2021-43447

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:onlyoffice:server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F20D43B1-2433-412A-8D51-7D04C974D445", "versionEndIncluding": "7.0.0.49", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication."}, {"lang": "es", "value": "Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 se ven afectadas por una vulnerabilidad de control de acceso incorrecto. Una omisi\u00f3n de autenticaci\u00f3n en el editor de documentos permite a los atacantes editar documentos sin autenticaci\u00f3n."}], "id": "CVE-2021-43447", "lastModified": "2024-11-21T06:29:14.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-23T15:15:13.397", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/ONLYOFFICE/server"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.onlyoffice.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ONLYOFFICE/server"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://www.onlyoffice.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}