Miggo Logo

CVE-2021-39192: Privilege escalation: all users can access Admin-level API keys

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.5287%
Published
7/22/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ghostnpm>= 4.0.0, < 4.10.04.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper access control in the Integration Model's permission system. The Ghost 4.10.0 release notes explicitly mention fixing the 'permissible method for Integration Model' which aligns with the described vulnerability pattern. Since the integration API endpoint was exposing admin keys to non-admin users, the permission check function permissible() in the Integration Model implementation is the logical location for the flawed authorization logic. The combination of CWE-200 (exposure) and CWE-269 (privilege management) further supports that the vulnerability exists in the permission-checking function for API key access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *rror in t** impl*m*nt*tion o* t** limits s*rvi** in *.*.* *llows *ll *ut**nti**t** us*rs (in*lu*in* *ontri*utors) to vi*w **min-l*v*l *PI k*ys vi* t** int**r*tions *PI *n*point, l***in* to * privil*** *s**l*tion vuln*r**ility. **ost(P

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****ss *ontrol in t** Int**r*tion Mo**l's p*rmission syst*m. T** **ost *.**.* r*l**s* not*s *xpli*itly m*ntion *ixin* t** 'p*rmissi*l* m*t*o* *or Int**r*tion Mo**l' w*i** *li*ns wit* t** **s*ri*** vuln*r**ility p