Vulnerability Description
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open5Gs | Open5Gs | >= 2.1.3, <= 2.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/open5gs/open5gs/compare/v2.2.0...v2.2.1PatchThird Party Advisory
- https://github.com/open5gs/open5gs/issues/837ExploitThird Party Advisory
- https://github.com/open5gs/open5gs/pull/838PatchThird Party Advisory
- https://github.com/open5gs/open5gs/releasesRelease NotesThird Party Advisory
- https://github.com/open5gs/open5gs/compare/v2.2.0...v2.2.1PatchThird Party Advisory
- https://github.com/open5gs/open5gs/issues/837ExploitThird Party Advisory
- https://github.com/open5gs/open5gs/pull/838PatchThird Party Advisory
- https://github.com/open5gs/open5gs/releasesRelease NotesThird Party Advisory
FAQ
What is CVE-2021-28122?
CVE-2021-28122 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or ...
How severe is CVE-2021-28122?
CVE-2021-28122 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-28122?
Check the references section above for vendor advisories and patch information. Affected products include: Open5Gs Open5Gs.