8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32691

GHSA ID

GHSA-r578-pj6f-r4ff

EPSS Score

0.63976%

CWE

CWE-287

Published

6/21/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32691

CVE-2021-32691: Auto-merging Person Records Compromised

Impact

New user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events).

Patches

We have released a security patch on v2.20.0. The solution was to create a duplicate person and then patch the new person with their profile details.

Workarounds

If you do not wish to upgrade your app to the new version, you can patch your server by overriding the create data source method on the People class.

  create = async (profile) => {
    const rockUpdateFields = this.mapApollosFieldsToRock(profile);
    // auto-merge functionality is compromised
    // we are creating a new user and patching them with profile details
    const id = await this.post('/People', {
      Gender: 0, // required by Rock. Listed first so it can be overridden.
      IsSystem: false, // required by rock
    });
    await this.patch(`/People/${id}`, {
      ...rockUpdateFields,
    });
    return id;
  };

For more information

If you have any questions or comments about this advisory:

Email us at support@apollos.app

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32691

GHSA ID

GHSA-r578-pj6f-r4ff

EPSS Score

0.63976%

CWE

CWE-287

Published

6/21/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@apollosproject/data-connector-rock	npm	< 2.20.0	2.20.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the create method's implementation in the People data source. The pre-patch version (shown in commit diff) directly posted user-provided profile data in the initial creation request, which activated unsafe auto-merging functionality. The security fix separated creation into two phases (minimal POST followed by PATCH), explicitly avoiding sending profile data in the initial request. The workaround documentation and CWE-303 (Incorrect Authentication Algorithm) directly implicate this function as the flawed authentication implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t N*w us*r r**istr*tions *r* **l* to ****ss *nyon*'s ***ount *y only knowin* t**ir **si* pro*il* in*orm*tion (n*m*, *irt***y, **n**r, *t*). T*is in*lu**s *ll *pp *un*tion*lity wit*in t** *pp, *s w*ll *s *ny *ut**nti**t** links to Ro*k-**s**

Reasoning

T** vuln*r**ility st*ms *rom t** `*r**t*` m*t*o*'s impl*m*nt*tion in t** P*opl* **t* sour**. T** pr*-p*t** v*rsion (s*own in *ommit *i**) *ir**tly post** us*r-provi*** pro*il* **t* in t** initi*l *r**tion r*qu*st, w*i** **tiv*t** uns*** *uto-m*r*in*

8.8

Basic Information

Concerned about an active attack path?

CVE-2021-32691: Auto-merging Person Records Compromised

Impact

Patches

Workarounds

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI