CVE-2021-21297

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/node-red/node-red/releases/tag/1.2.8	Release Notes Third Party Advisory
https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67	Third Party Advisory
https://www.npmjs.com/package/%40node-red/editor-api
https://www.npmjs.com/package/%40node-red/runtime

Configurations

Configuration 1 (hide)

cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2021-02-26 17:15

Updated : 2023-11-07 03:29

NVD link : CVE-2021-21297

Mitre link : CVE-2021-21297

CVE.ORG link : CVE-2021-21297

JSON object : View

Products Affected

nodered

node-red

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

{"id": "CVE-2021-21297", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2021-02-26T17:15:12.210", "references": [{"url": "https://github.com/node-red/node-red/releases/tag/1.2.8", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40node-red/editor-api", "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40node-red/runtime", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-915"}]}], "descriptions": [{"lang": "en", "value": "Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url."}, {"lang": "es", "value": "Node-Red es una programaci\u00f3n de low-code para aplicaciones basadas en eventos dise\u00f1adas usando nodejs. Node-RED versiones 1.2.7 y anteriores contienen, una vulnerabilidad de Contaminaci\u00f3n de Prototipos en la API de administraci\u00f3n. Una petici\u00f3n mal formada puede modificar el prototipo del Objeto JavaScript predeterminado con el potencial de afectar el comportamiento predeterminado del tiempo de ejecuci\u00f3n de Node-RED. La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 1.2.8. Una soluci\u00f3n alternativa es asegurarse de que solo los usuarios autorizados puedan ser capaces de acceder a la URL de editor"}], "lastModified": "2023-11-07T03:29:45.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FD380E45-4954-4427-90D5-66896B983B30", "versionEndExcluding": "1.2.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}