CVE-2021-38384

Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/dherault/serverless-offline/issues/1259	Exploit Third Party Advisory
https://github.com/dherault/serverless-offline/issues/1259	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:serverless_offline_project:serverless_offline:8.0.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:16

Type	Values Removed	Values Added
References	~~() https://github.com/dherault/serverless-offline/issues/1259 - Exploit, Third Party Advisory~~	() https://github.com/dherault/serverless-offline/issues/1259 - Exploit, Third Party Advisory

12 Jul 2022, 17:42

Type	Values Removed	Values Added
CWE	~~CWE-863~~	CWE-755

17 Aug 2021, 19:35

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/dherault/serverless-offline/issues/1259 -~~	(MISC) https://github.com/dherault/serverless-offline/issues/1259 - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
CWE		CWE-863
CPE		cpe:2.3:a:serverless_offline_project:serverless_offline:8.0.0:::::::*

10 Aug 2021, 18:30

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-08-10 18:15

Updated : 2024-11-21 06:16

NVD link : CVE-2021-38384

Mitre link : CVE-2021-38384

CVE.ORG link : CVE-2021-38384

JSON object : View

Products Affected

serverless_offline_project

serverless_offline

CWE

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2021-38384", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-08-10T18:15:07.513", "references": [{"url": "https://github.com/dherault/serverless-offline/issues/1259", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/dherault/serverless-offline/issues/1259", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions)."}, {"lang": "es", "value": "Serverless Offline versi\u00f3n 8.0.0, devuelve un c\u00f3digo de estado HTTP 403 para una ruta que presenta un car\u00e1cter / al final, lo que podr\u00eda causar a un desarrollador implementar un control de acceso incorrecto, porque el comportamiento real dentro del entorno de Amazon AWS es un c\u00f3digo de estado HTTP 200 (es decir, posiblemente mayores permisos de los esperados)"}], "lastModified": "2024-11-21T06:16:57.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:serverless_offline_project:serverless_offline:8.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14209048-68A5-4D34-ACD2-6854E84A5208"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

9.8 /10