Missing Authorization

CVE-2021-28154

Medium

6.4/10

Summary

** DISPUTED ** Camunda Modeler (aka camunda-modeler) through 4.6.0 allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the readFile and writeFile APIs. NOTE: the vendor states "The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed."

Access Complexity: LOW
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: PARTIAL
Confidentiality Impact: PARTIAL
Availability Impact: NONE

CWE-862 - Missing Authorization

The missing authorization vulnerability occurs when a software program allows users to access privileged parts of the program without verifying the user credentials. Impact of such a vulnerability depends on the resources employed by the software, ranging from account takeover to sensitive information exposure, denial of service, and complete system takeover.

References

Advisory Timeline

Published Mar 11, 2021

Missing Authorization

CVE-2021-28154

Summary

CWE-862 - Missing Authorization

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS