Miggo Logo

CVE-2021-32691: Auto-merging Person Records Compromised

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.63976%
Published
6/21/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@apollosproject/data-connector-rocknpm< 2.20.02.20.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the create method's implementation in the People data source. The pre-patch version (shown in commit diff) directly posted user-provided profile data in the initial creation request, which activated unsafe auto-merging functionality. The security fix separated creation into two phases (minimal POST followed by PATCH), explicitly avoiding sending profile data in the initial request. The workaround documentation and CWE-303 (Incorrect Authentication Algorithm) directly implicate this function as the flawed authentication implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t N*w us*r r**istr*tions *r* **l* to ****ss *nyon*'s ***ount *y only knowin* t**ir **si* pro*il* in*orm*tion (n*m*, *irt***y, **n**r, *t*). T*is in*lu**s *ll *pp *un*tion*lity wit*in t** *pp, *s w*ll *s *ny *ut**nti**t** links to Ro*k-**s**

Reasoning

T** vuln*r**ility st*ms *rom t** `*r**t*` m*t*o*'s impl*m*nt*tion in t** P*opl* **t* sour**. T** pr*-p*t** v*rsion (s*own in *ommit *i**) *ir**tly post** us*r-provi*** pro*il* **t* in t** initi*l *r**tion r*qu*st, w*i** **tiv*t** uns*** *uto-m*r*in*