CVE-2021-39192

Improper Privilege Management in npm/ghost

Identifiers

CVE-2021-39192, GHSA-j5c2-hm46-wp5c

Package Slug

npm/ghost

Vulnerability

Improper Privilege Management

Description

Ghost is a Node.js content management system. An error in the implementation of the limits service allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.

Affected Versions

All versions starting from 4.0.0 before 4.10.0

Solution

Upgrade to version 4.10.0 or above.

Last Modified

2021-09-13

source