CVE-2021-32691

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-32691
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32691.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-32691
Aliases
Related
Published
2021-06-16T22:15:07Z
Modified
2025-01-15T01:54:23.872258Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the create data source method on the People class.

References

Affected packages

Git / github.com/apollosproject/apollos-apps

Affected ranges

Type
GIT
Repo
https://github.com/apollosproject/apollos-apps
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

Other

rm
v

v0.*

v0.8.5
v0.8.6

v1.*

v1.0.0
v1.0.0-beta.0
v1.1.0
v1.1.0-beta.0
v1.1.0-beta.2
v1.1.0-beta.3
v1.2.0
v1.2.0-beta.0
v1.2.0-beta.1
v1.2.0-beta.2
v1.2.0-beta.3
v1.2.0-beta.4
v1.2.0-beta.5
v1.2.0-beta.6
v1.2.0-beta.7
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.3.0-beta.0
v1.3.0-beta.1
v1.3.0-beta.2
v1.3.0-beta.3
v1.3.0-beta.5
v1.3.0-beta.6
v1.4
v1.4.0
v1.4.3
v1.5
v1.5.0
v1.6
v1.6.0
v1.6.0-beta.0
v1.6.0-beta.1
v1.7
v1.7.0
v1.7.0-beta.1
v1.7.0-beta.2
v1.7.0-beta.3
v1.7.2
v1.8.0-beta.0

v2.*

v2.0.0
v2.0.0-2.0.0-alpha.16.0
v2.0.0-beta.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.1-canary.0
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.13.1
v2.14.0
v2.15.0
v2.16.0
v2.17.0
v2.18.0
v2.18.1
v2.19.0
v2.2.0
v2.3.0
v2.3.1
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.8.0
v2.9.0