CVE-2021-29452: Improper Privilege Management

April 19, 2021

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

References

github.com/advisories/GHSA-8hw9-22v6-9jr9
github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9
nvd.nist.gov/vuln/detail/CVE-2021-29452
www.npmjs.com/package/@curveball/a12n-server

Detect and mitigate CVE-2021-29452 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →