CVE-2021-29452

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-29452

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29452.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-29452

Aliases

GHSA-8hw9-22v6-9jr9

Related

GHSA-8hw9-22v6-9jr9

Published

2021-04-16T22:15:14.310Z

Modified

2026-03-13T21:59:43.108818Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

References

Affected packages

Git / github.com/curveball/a12n-server

Affected ranges

Type

GIT

Repo

https://github.com/curveball/a12n-server

Events

Introduced

6f76fd9dda3c5482c6a5dfd4460a61e0a0e4c107

Fixed

1870e4f95fde90eea4626b69f41a4b363351731d

Database specific

{
    "versions": [
        {
            "introduced": "0.18.0"
        },
        {
            "fixed": "0.18.2"
        }
    ]
}

Affected versions

v0.*

v0.18.0

v0.18.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29452.json"