GHSA-grvm-gcqf-gh8q

Source

https://github.com/advisories/GHSA-grvm-gcqf-gh8q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-grvm-gcqf-gh8q/GHSA-grvm-gcqf-gh8q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-grvm-gcqf-gh8q

Aliases

CVE-2021-36383

Published

2022-05-24T19:07:30Z

Modified

2023-11-08T04:06:13.465015Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Xen Orchestra Mishandles Authorization

Details

Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

Database specific

{
    "github_reviewed_at": "2023-10-19T18:34:45Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2021-07-12T14:15:00Z"
}

References

Affected packages

npm / xo-web

Package

Name: xo-web; View open source insights on deps.dev
Purl: pkg:npm/xo-web

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.80.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-grvm-gcqf-gh8q/GHSA-grvm-gcqf-gh8q.json"

npm / xo-server

Package

Name: xo-server; View open source insights on deps.dev
Purl: pkg:npm/xo-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.84.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-grvm-gcqf-gh8q/GHSA-grvm-gcqf-gh8q.json"