CVE-2021-38616 — HIGH (7.6)

Vulnerability Description

In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/{user-guid}/ user edition endpoint could permit any logged-in user to increase their own permissions via a user_permissions array in a PATCH request. A guest user could modify other users' profiles and much more.

CVSS Score

7.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Eigentech	Natural Language Processing	3.10.1

References

https://cds.thalesgroup.com/en/tcs-cert/CVE-2021-38616
https://eigentech.com/Vendor Advisory
https://excellium-services.com/cert-xlm-advisory/Third Party Advisory
https://excellium-services.com/cert-xlm-advisory/CVE-2021-38616Third Party Advisory
https://eigentech.com/Vendor Advisory
https://excellium-services.com/cert-xlm-advisory/Third Party Advisory
https://excellium-services.com/cert-xlm-advisory/CVE-2021-38616Third Party Advisory

FAQ

What is CVE-2021-38616?

CVE-2021-38616 is a vulnerability with a CVSS score of 7.6 (HIGH). In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/{user-guid}/ user edition endpoint could permit any logged-in user to increase their own permissions via a user_permissions array in ...

How severe is CVE-2021-38616?

CVE-2021-38616 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-38616?

Check the references section above for vendor advisories and patch information. Affected products include: Eigentech Natural Language Processing.