CVE-2021-41238

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41238

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41238.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-41238

Aliases

GHSA-7rq6-7gv8-c37h

Withdrawn

2024-05-15T05:34:00.347690Z

Published

2021-11-02T18:15:08Z

Modified

2023-11-29T09:03:39.836678Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings. However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed. If you are using UseHangfireDashboard method with default DashboardOptions.Authorization property value, then your installation is impacted. If any other authorization filter is specified in the DashboardOptions.Authorization property, the you are not impacted. Patched versions (1.7.26) are available both on Nuget.org and as a tagged release on the github repo. Default authorization rules now prohibit remote requests by default again by including the LocalRequestsOnlyAuthorizationFilter filter to the default settings. Please upgrade to the newest version in order to mitigate the issue. For users who are unable to upgrade it is possible to mitigate the issue by using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI.

References

Affected packages

Git / github.com/hangfireio/hangfire

Affected ranges

Type: GIT
Repo: https://github.com/hangfireio/hangfire
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

9b62e666ce2ca3b73a963f81a478651a1257dedb

Affected versions

v.*

v.1.7.10

v0.*

v0.5

v0.6

v0.6-alpha

v0.6.2

v0.7.0

v0.7.0-beta.1

v0.7.0-beta.2

v0.7.1

v0.7.3

v0.7.4

v0.7.5

v0.8

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v0.9.1

v1.*

v1.0

v1.0.0-alpha1

v1.0.2

v1.1.0

v1.1.0-alpha1

v1.1.0-alpha2

v1.1.0-alpha3

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.4.0

v1.4.0-beta1

v1.4.0-rc1

v1.4.0-rc2

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.5.0

v1.5.0-beta1

v1.5.0-beta2

v1.5.0-beta3

v1.5.0-beta4

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v1.6.0

v1.6.0-beta1

v1.6.0-beta2

v1.6.0-beta3

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.15

v1.6.16

v1.6.17

v1.6.18

v1.6.19

v1.6.2

v1.6.20

v1.6.21

v1.6.22

v1.6.23

v1.6.24

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.0-beta1

v1.7.0-beta2

v1.7.0-beta3

v1.7.0-beta4

v1.7.0-rc1

v1.7.0-rc2

v1.7.1

v1.7.11

v1.7.12

v1.7.13

v1.7.14

v1.7.15

v1.7.16

v1.7.17

v1.7.18

v1.7.19

v1.7.2

v1.7.20

v1.7.21

v1.7.22

v1.7.23

v1.7.24

v1.7.25

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9