CVE-2021-33898

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-33898

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33898.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-33898

Published

2021-06-06T23:15:07.517Z

Modified

2025-11-20T11:47:25.316020Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. In certain contexts, this can result in remote code execution. The attacker's input must be hosted at http://www.geoplugin.net (cleartext HTTP), and thus a successful attack requires spoofing that site or obtaining control of it.

References

https://github.com/invoiceninja/invoiceninja/issues/5909

Affected packages

Git / github.com/invoiceninja/invoiceninja

Affected ranges

Type: GIT
Repo: https://github.com/invoiceninja/invoiceninja
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4cda561fae1a10a970b1c4251a2962ed77ccc81c

Affected versions

v1.*

v1.0.2

v1.0.3

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.7.2

v2.*

v2.0.0

v2.0.0_RC1

v2.0.1

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.8.1

v2.4.9

v2.4.9.1

v2.4.9.2

v2.4.9.3

v2.4.9.4

v2.4.9.5

v2.4.9.6

v2.5.0

v2.5.0.1

v2.5.0.2

v2.5.0.3

v2.5.0.4

v2.5.1

v2.5.1.1

v2.5.1.2

v2.5.1.3

v2.5.2

v2.5.2.1

v2.5.2.2

v2.6

v2.6.1

v2.6.10

v2.6.11

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7

v2.7.1

v2.7.2

v2.8

v2.8.1

v2.8.2

v2.9.0

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.3

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.5.1

v3.6.0

v3.6.1

v3.7.0

v3.7.1

v3.7.2

v3.8.0

v3.8.1

v3.9.0

v3.9.1

v3.9.2

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33898.json"