CVE-2021-32691: Auto-merging Person Records Compromised
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63976%
CWE
Published
6/21/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@apollosproject/data-connector-rock | npm | < 2.20.0 | 2.20.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the create
method's implementation in the People data source. The pre-patch version (shown in commit diff) directly posted user-provided profile data in the initial creation request, which activated unsafe auto-merging functionality. The security fix separated creation into two phases (minimal POST followed by PATCH), explicitly avoiding sending profile data in the initial request. The workaround documentation and CWE-303
(Incorrect Authentication Algorithm) directly implicate this function
as the flawed authentication implementation.