CVE-2021-28122

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-28122
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28122.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-28122
Published
2021-03-10T15:15:12Z
Modified
2024-06-06T13:38:34.368133Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.

References

Affected packages

Git / github.com/open5gs/open5gs

Affected ranges

Type
GIT
Repo
https://github.com/open5gs/open5gs
Events

Affected versions

v2.*

v2.1.3
v2.1.4
v2.1.5
v2.1.7
v2.2.0