GHSA-m6j4-8r7p-wpp3

Source

https://github.com/advisories/GHSA-m6j4-8r7p-wpp3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-m6j4-8r7p-wpp3/GHSA-m6j4-8r7p-wpp3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m6j4-8r7p-wpp3

Aliases

CVE-2021-21389

Published

2021-10-06T17:46:55Z

Modified

2024-02-17T05:33:52.328118Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

BuddyPress privilege escalation via REST API

Details

Impact

It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.

Patches

The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

References

https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

For more information

If you have any questions or comments about this advisory: * Open an issue in HackerOne

Database specific

{
    "nvd_published_at": "2021-03-26T21:15:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T16:57:01Z"
}

References

Affected packages

Packagist / buddypress/buddypress

Package

Name: buddypress/buddypress
Purl: pkg:composer/buddypress/buddypress

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

7.2.1

Affected versions

5.*

5.0.0

5.1.0-beta1

5.1.0

5.1.1

5.1.2

5.2.0

5.2.1

5.2.2

6.*

6.0.0-beta1

6.0.0-beta2

6.0.0-RC1

6.0.0-RC2

6.0.0

6.1.0

6.2.0-beta1

6.2.0

6.3.0

6.4.0

6.4.2

6.4.3

7.*

7.0.0-beta1

7.0.0-beta2

7.0.0-RC1

7.0.0-RC2

7.0.0

7.1.0

7.2.0