Vulnerability Description
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the `create` data source method on the `People` class.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apollosapp | Data-Connector-Rock | < 2.20.0 |
Related Weaknesses (CWE)
References
- https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6PatchThird Party Advisory
- https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0PatchThird Party Advisory
- https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6MitigationThird Party Advisory
- https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6PatchThird Party Advisory
- https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0PatchThird Party Advisory
- https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6MitigationThird Party Advisory
FAQ
What is CVE-2021-32691?
CVE-2021-32691 is a vulnerability with a CVSS score of 8.8 (HIGH). Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their ba...
How severe is CVE-2021-32691?
CVE-2021-32691 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32691?
Check the references section above for vendor advisories and patch information. Affected products include: Apollosapp Data-Connector-Rock.